Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step

Forefront TMG 2010 has been built on top of the core capabilities delivered in Microsoft Internet Security and Acceleration (ISA) Server 2004/2006 in order to deliver a comprehensive, enhanced and integrated network security gateway. Forefront TMG provide additional protection capabilities to help secure the corporate network from external/Internet-based threats. Forefront TMG 2010 prevent abuse of networks from internal and external entity. Forefront provide more management capabilities in terms security and protection. Forefront TMG 2010 is available in Standard Edition and Enterprise Edition. Standard version does not support Array/NLB/CARP support and Enterprise Management. For E-mail Protection both version requires Exchange license. 
Windows Server 2012 Step by Step

Forefront TMG 2010 provide the following enhanced protection capabilities:

  • Malware inspection
  • URL filtering
  • HTTP filtering
  • HTTPS inspection
  • E-mail protection
  • Network Inspection Systems (NIS)
  • Intrusion detection and prevention
  • Secure routing and VPN

    Understanding Network Topology

    The following Forefront TMG network topologies are available:

    • Edge firewall—In this topology, Forefront TMG is located at the network edge, where it serves as the organization’s edge firewall, and is connected to two networks: the internal network and the external network (usually the Internet).

    layout-large-edge

    • 3-Leg perimeter—This topology implements a perimeter (DMZ) network. Forefront TMG is connected to at least three physical networks: the internal network, one or more perimeter networks and the external network.

    layout-large-3leg

    • Back firewall—In this topology, Forefront TMG is located at the network’s back-end. Use this topology when another network element, such as a perimeter network or an edge security device, is located between Forefront TMG and the external network. Forefront TMG is connected to the internal network and to the network element in front of it.

    layout-large-backlayout-large-front

  • Single network adapter—This topology enables limited Forefront TMG functionality. In this topology, Forefront TMG is connected to one network only, either the internal network or a perimeter network. Typically, you would use this configuration when Forefront TMG is located in the internal corporate network or in a perimeter network, and another firewall is located at the edge, protecting corporate resources from the Internet.

layout-large-snm

Functionality of a single network adapter topology

The single network adapter topology enables limited Forefront TMG functionality, that includes:

  • Forward (CERN) proxy for HTTP, HTTPS, and CERN proxy FTP (download only).
  • Web caching for HTTP and CERN proxy FTP.
  • Web publishing. HTTP-based communications, such as Microsoft Office SharePoint Server, Exchange Outlook Web Access 2007, ActiveSync®, and remote procedure call (RPC) over HTTP (Outlook Anywhere, Terminal Services Gateway or WSMAN-based traffic).
  • Dial-in client virtual private network (VPN) access.

 

Limitations of a single network adapter topology

The following limitations apply when you use the single network adapter topology:

  • Server publishing and site-to-site VPN are not supported.
  • SecureNAT and Forefront TMG Client traffic are not supported.
  • Access rules must be configured with source addresses that use only internal IP addresses.
  • Firewall policies must not refer to the external network.

Hardware Requirements

Systems requirements depends on number of users and deployment scenario. Forefront TMG is a vital part in a ICT infrastructure. To achieve best performance, you must add best processing power and memory in TMG server however the following will give you an optimum performance.

Processor- Intel Xeon (Dual core/Quad-core/i7) or AMD Opteron (dual core/quad core). Intel Hyper-Threading Technology enabled in bios if Intel server board.

RAM-8GB

Disk Space –50GB systems partitions and 150GB logging +60GB-100GB Web caching in a separate partition. RAID 5 config would be highly recommended.

NIC- 2 Gigabit NIC with redundant config (number of NICs depends on deployment scenario)

Important! Forefront TMG has been built on 64 architecture.

Operating Systems and features

Windows Server 2008 SP2 64 bit or Windows Server 2008 R2

Microsoft .NET Framework 3.5 SP1

Windows Web Services API

Network Policy Server.

Routing and Remote Access Services.

Active Directory Lightweight Directory Services Tools.

Network Load Balancing Tools.

Windows Power Shell

Windows Installer 4.5

Important! It’s not recommended to install any application or programme in TMG server other then antivirus program. It must be a dedicated server for Forefront TMG. Disable unnecessary services after installing operating systems. Install Machine Certificate trong> from Enterprise Root CA Authority before installing TMG. TMG server must be a member of Active Directory Domain.

Installation of Forefront TMG

Prepare a 64 bit Windows Server 2008. Insert Forefront TMG DVD into the server. Run preparation tools.

1

Click continue on UAC authorization prompt.

2 3 4 5 6 7 8

Check Launch TMG installation. Click finish.

9 10 11 12 13 14 15

Add ranges of internal IP address For example: 10.10.10.1 to 10.10.10.255. You can as many subnet ranges as you have for internal networks.

16 17 18 19 20 21 22 23 24

Open Forefront TMG Management from start menu. TMG will automatically prompt you for initial configuration.

25

Step1: Network Setup Wizard—Use to configure network adapters on the server. Network adapters are associated with a unique Forefront TMG network. Note that you must have static IP address in all NIC of TMG server before you proceed for network settings.

26 27

This is highly important part of config because in this section you will mention what type of network topology you are going to use. Here, I am configuring De-militarized Zone (DMZ) or 3-Leg Perimeter. You have to select your desired config.

28 29 30
31

In this section, you have to select the behaviour of the traffic among internal, perimeter (DMZ) and external network. For example, My Forefront TMG 2010 server has been configured to route between internal and perimeter and NAT in between perimeter and external as I choose private networks in perimeter. So that I can hide IP addresses of my perimeter networks.

32 33

Step2: System Configuration Wizard—Use to configure operating system settings, such as computer name information and domain or workgroup settings

38

35 36 37

Step3: Deployment Wizard—Use to configure malware protection for Web traffic, and to join the customer feedback program and telemetry service.

38 39 40 41 42 43 44 45

46

Networks, Proxy and Update Configuration

Open Forefront TMG Management.  On the left hand pan, Select Update Centre. Click configure settings on task pan. Set update policy. If you have Windows Server Update Services (WSUS) then you may select WSUS or use Microsoft update services.

1

Select networking>Select Networks Tab>Double click on Internal.  You will be presented with Internal Properties. Configure all the tabs as shown below.

2 3

In the domain tab, add internal domain(s). For example: *.wolverine.com.au

4

04

In the web browser tab, check Bypass Proxy… and Directly Access….

5

Verify all your internal IP addresses you added during installation. In this window you can add more internal IP addresses if you want.

6

Check Publish Automatic Discovery information for the network and use port 80 as default.

7

In Forefront TMG Client settings, Check Enable Forefront TMG client support for this network. un-check Automatically detect settings and Use automatic scripts.., Check Use a Web proxy server

8

In the Web Proxy Tab, Enable HTTP and use port 80 as default. However, you can use port 8080 if you want. Click on authentication and check integrated. Click on advanced and check unlimited. Now Apply and ok.

9 border=”0″ alt=”10″ src=”http://araihan.files.wordpress.com/2010/03/10_thumb1.jpg” width=”244″ height=”235″ />

Apply changes.

11 12

Now repeat all these config for perimeter networks as you did for internal networks.

Connecting Active Directory, DNS and DHCP

Setup connectivity with Microsoft Active Directory, DNS and DHCP. Click on monitoring>click connectivity verifiers>Click Create New Connectivity Verifier. Create connectivity for Active Directory, DNS and DHCP.

13 14 15

Click Next and Finish. Repeat it for DNS and DHCP. If you have a upstream Proxy, connect to upstream proxy using similar method.

Create HTTP and HTTPS rule

By default all access rules are denied. Now Create web access rules for internal networks allowing HTTP and HTTPs traffic pass through from internal network to external and perimeter. Also allow HTTP and HTTPs traffic pass through from perimeter to external and internal. Click Firewall Policy>Click Create Access Rule on Task Pan.

17 18 19 20 21 22 23 24 25 26 27 28

Test Forefront TMG Setup

Now moment of truth. Log on to a computer using domain user credential in any internal network. Setup proxy in IE connections and browse internet.

29 30

31

Beer mugThumps UP.

Remote Management Console Installation

Forefront TMG is 64 bit but downloadable 32 bit TMG Admin Console available on this Microsoft link

PDF Creator    Send article as PDF   
This entry was posted in Forefront Technologies and tagged , , , , . Bookmark the permalink.

94 Responses to Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step

  1. Pingback: Migrating a single ISA Server to Forefront TMG 2010 Step by Step « Information Technology Blog

  2. Deepak says:

    This is a good resource.. Thanks for posting.

  3. Abhilash says:

    Great work….thanks for posting

  4. Mohsin says:

    Great work, Thanks for posting.

    How do we configure Multiple TMG servers For redundency?

    For redundency does both TMG servers needs to be joined in AD?

    • Raihan says:

      Hello Mohsin,
      You need TMG enterprize version. Once you configured primary TMG server. Then install second one, at the begining of installation it will ask you to join with another TMG Array or configuration and storage…. Once join the array, it will get all the config.
      Both TMG servers must join ADDS. Otherwise you will not be able to install certificates and configure integrated authentication for internal network.
      Regards,
      Raihan

      • Ajay Gautam says:

        Dear Rahian,
        thanks for posting all TMG 2010 Valuable Solution

        Question-Pls provide the use of TMG array in AD Environment,

        How we configure TMG 2010 arrays in ADDS.
        thanks

  5. Pingback: How to Configure Back-to-Back Firewall with Perimeter (DMZ) Topology—–Step by Step Guide « Information Technology Blog

  6. Pingback: Exchange 2010 deployment in different firewall scenario « Information Technology Blog

  7. Pingback: How to configure reverse proxy using Forefront TMG 2010— step by step | MicrosoftGURU

  8. Pingback: Configure 3-Leg Perimeter (DMZ) using Forefront TMG 2010—step by step | MicrosoftGURU

  9. Pingback: How to configure Forefront TMG 2010 as WPAD server (Auto Proxy Discovery)—Step by Step | MicrosoftGURU

  10. Abdellah El Bilali says:

    This was very helpful and easy to follow.
    I still have some issues with my configuration; I your help is greatly appreciated.
    • I have configured a TMG2010 as a Domain member with two NICs, one internal and an external one on the DMZ, my goal is to explicitly use it TMG for External OWA and Mobile devices connectivity and users only need to authenticate once. I do not want internal users to use TMG to authenticate
    This is what I have completed:
    • Configured a firewall policy for OWA/Listener.
    • Re-used the same SSL certificate we are using internally for the external access.
    • I can now access the external URL but still need to add “/OWA” at the end of my URL to have it working.

    What I am having problems with is:
    • Having to add “/OWA” at the end of the URL
    • I still need to authenticate twice, it looks like pass-through authentication is not working
    • Customize the forms to allow for branding
    • Enable the external mobile connectivity
    Any help will be appreciated,
    Regards,
    Abdellah El Bilali

    • Right click OWA publishing rule> property>Change public name of the url that will do point webmail automatic to whatever site you want. On your CAS server please check what type of authentication has been selected. pls select appropriate authentication. Does TMG integrated to AD. please proper connectivity verifier in AD. that should solve your problem

  11. Ivan Cruz says:

    Raihan,

    Thanks for this article, I have followed it step by step but still haven’t accomplished to get the tmg running.

    I installed tmg 2010 on windows 2008 R2, I want all LAN traffic to go through this server to do some serious URL blocking, so I chose edge firewall to begin with, I don’t have AD, I’m not using domains, I currently have a 20pc LAN with a router for NAT. So in the server I have two NIC’s, 1st one configured as:
    WAN connected directly to cable modem
    public ip: 194.180.x.x/24
    gw: 194.180.x.1
    dns: 194.180.x.x

    LAN connecteed to a switch where other computers will connect too
    ip: 10.10.10.1
    gw:

    In the network and sharing center it says WAN NIC has internet access but LAN does not.

    I have created firewall rules allowing internal to have http and https access, there’s not a bond between LAN 10.10.10.1 and WAN 190.184.x.x . What can I do.

    thank you very much in advance.

    • Are you able to browse internet on TMG server? Your proxy server IP and port need to be configured on client’s IE. If you configure edge firewall than routing will be autmated by TMG. you need to create rules such as for http, https, ftp etc. In your situation default gateway of client would be your TMG’s internal nic.
      You also need an authentication method for client such as Active Directory. Deliver proxy settings through GPO. setup connection verifier in TMG. than client will get internal once they log on using AD account.

      • Ivan Cruz says:

        Yes, I am able to browse internet on the TMG server. what gateway the internet network nic should have? itself? like this:
        ip 10.10.10.1
        gt 10.10.10.1?
        internal nic says it has internet access only if it is in same ip network as external. but the ideal should be external with a public address and internal with a private one.
        is there a way to do it without AD authentication? I feel like by just creating the firewall rules allowing access from internal to internet and and routing and nating networks should be enough.
        I would appreciate one final advise, thank you.

        • External NIC of TMG must have IP, Mask, DG, DNS
          Internal NIC of TMG Must have IP, MASK, DNS ***no DG**

          Your internal client must authenticate to go outside. If there is no authentication than how TMG verify whos who. Finally, add internal networks IP addresses into internal ip range of TMG. check. I am sure, TMG is declining request because of authentication failure.

  12. Kashif Noor says:

    AoA,
    I have downloaded Microsoft ForeFront TMG Enterprise Edition from Microsoft website, when the installer is begin it show the error messege “Package Integrity distribution”…. Please help me regarding this error.
    Note: I am running Windows 2008 server on my Server machine(DELL PowerEdge 2600).

    • What version of Win2k8 ?
      Please check system requirement and download correct ISO from Microsoft Download center or Technet.

      • Kashif Noor says:

        Thanks for reply.

        I am using Windows Server 2008 (Enterprise Edition) with SP1 without Hyper-V.

        And my system specification is: Dell PowerEdge Server 2600 (2.6 Mhz with 2 GB RAM, 400 GB Harddisk).

        Regards

        Kashif noor

  13. Pingback: Configure non-domain Forefront TMG to allow traffic from domain members and domain clients | MicrosoftGURU

  14. Pingback: FF TMG 2010: Configure ISP Redundancy— Step by Step | MicrosoftGURU

  15. Hello Terry,
    I do not recommend to use single NIC TMG. Single NIC is less functional than Edge configuration. There are three web listener in your case a)Sharepoint b)OWA c)IIS. Your communication is going via Cisco Pix. Please change your layout and use TMG as back firewall and reverse proxy and put Cisco firewall as front end. Alternatively, use back to back firewall and reverse proxy.

    Let me know if you need further info.

    regards,
    raihan

  16. Wajid Rasa says:

    Hello
    It is great posting. i have made two firewall rules in tmg 2010. 1. FROM (URls for all Org) TO specific website { users are permited to visit specific websites only}
    2.FROM I.T Department TO external {every thing is permited in these specified IPs}

    now the second rule is okay the first rule is not showing any thing to user and user can’t browse the specific website too. if i add proxy in IE lan setup it show me a block message.

    Please help what to do

    Regards

    • users can not be in both allow and deny groups. than allow take precidence. Please add correct AD group in TMG such IT, Sales, Marketing, HR etc and apply rules for those groups.

  17. Wajid Rasa says:

    Users are not in both allow and deny groups. I.T department IPs are different and other users have different IPs.

    Regards

  18. kai says:

    Why must implement a Gateway, such as TMG, for OWA in Exchange 2010 server?
    Is there a way that I can bypass it and just place the OWA server in a DMZ zone like Exhange 2003 server?

    Thanks.

    Kai

    • TMG is secure and provide reverse proxy functionality for OWA. You can publish Exchange server, ActiveSync, Anywhere with TMG. TMG is also capable of securing DMZ which you are thinking off. TMG is feature pack, cost effective URL filter, greater administrative control many more. so why not TMG?

  19. Solim says:

    Raihan thank you very much for your very very useful articles

  20. Tarik Karic says:

    Hi,

    I am looking to configur the FF in back to back firewalls with ASA5510 as a front one and FF will be on VMware. Not sure if that is supported and what is the best configuration for networks as i’d like to avoid double NAT. Alos i would like not have to publish incoming rules twice, once on ASA, and second time on FF.
    Any advise would be greatly appriciated.

    Tarik

    • Hello Tarik,
      you can use ASA5510 as your front end firewall and FF TMG 2010 as backend firewall and proxy. But do not make it three tier using your method. alternatively, TMG as frontend and TMG as backend is much better.

  21. Wajid says:

    Hello,

    How to block ” facebook , twitter , Etc” at https or 443 port with out enable HTTPs inspection in tmg 2010.

    Regards,

  22. uzair says:

    Dear Rehan,

    i want to install TMG, i have 3 networks local, perimeter, external (internet) i want to allow internet to all lan user and some external or remote user will use my perimeter server, i have no DC & AD is it possible that i install tmg without ad or dc and do SERVER PUBLISHING for port forwarding.

    Please add ur input with complete details, or with article

    Regards
    uzair

  23. uzair says:

    Dear Rehan,

    Any Certificate server or Authentication server is needed or not please update and do u have ca setting link so please share

  24. Fars says:

    I’m having issues with domain authentication with TMG2010 std.

    I just got a new server for the standalone perimeter device, with two NICS – one for internal LAN and the other for external. I joined it to the domain, fully updated (windows update) and then proceeded to install TMG2010.

    I followed the basic steps to the teeth yet my TMG has issues with not being able to resolve to the domain… i can ping my AD and DNS servers, but cannot authenticate.
    I’ve configured the domain for the internal network and the network adapter binding has the internal NIC at the very top so it resolves internally before it tries to go out.
    nltest /sc_query: returns an error

    Any insight on what I may have done wrong or forgotten to realize will be greatly appreciated.

    Thanks.

  25. Mohamed Rhizad says:

    I have permieter Firewall as sonicwall NSA 3500 with Nating External to internal and also External to DMZ.Internal zone is connected to TMG with redundancy.

    In DMZ zone i have SSL VPN BOX also

    Issue is
    DMZ zone cannot ping or RDP to internal network
    THrough packet capture i am seeing that sonicwall is forwarding to TMG
    But no reply.

    • TMG blocks everything by default. can you please open ping port from desired source and destination?

      • parth says:

        sir i have setup an edge network in virtual environment using hyper-v. server type is win server 2008 r2. help me out to connect internet in internal network without the use of proxy.

        • bypassing proxy for internal user will be possible if you dont configure proxy server in IE. note that TMG blocks all traffic by default if u utilize tmg as proxy server. you need to create firewall policy to allow internet

          • parth says:

            sir i have already created a firewall policy to allow internet. and it is working fine when i configur ie for proxy. but i need to allow internet access to internal network without use of proxy server

          • parth says:

            sir plz help

  26. parth says:

    this post is great help sir…..really thank you for the post helped me undestanding ISA TMG 2010

  27. parth says:

    thanks for the post sir. i have installed and done all the tmg setup successfully. my network type is edge network and i am testing it in virtual network. can you please guide me to enable internet in internal network without using proxy.

  28. mahendi says:

    in TMG network user face to “invalid certificate error “when open any site in mozilla and IE browser leave the proxy and not open any sites so what issues for this

  29. Asokan says:

    Hi,

    1.)my users wants do a RDP connection to external network due to this we have decided to go for TWO nic card setup and My servers are protected with Firewall devices.

    2.)Intern NIC ip XXX.XXX.XX.4 and Extenrl in 172.XXX.XX.7.

    3.) For External IP we have NAT in our firewall for Port 80,3389,443.

    4.)As above config if i created new rule is it possible to do a rdp session to public computers.

  30. David says:

    Hello Raihan,

    Great post!! I have a problem with my TMG config and need your help, please. The problem is:
    Downloads from our internal FTP server using TMG is corrupted.
    I added internal FTP server as Web Chaining exception, No cache, Malware exception…I don´t know what is happening.

    f I donwload the file directly (through windows explorer) from TMG Server, didnt fails. If I download the file through any other application (filezilla, coreftp, etc…) that use TMG Server as proxy, the files is corrupted

    Thanks in advance

  31. Arsalan Zia says:

    Dear Raihan,

    Its Arsalan I am an IT Officer, Sir I am having some issue in TMG I have one external NIC (Public IP from ISP) & one internal NIC (Private IP for local LAN) my TMG 2010 can ping another Public IP of my sister company but my clients can’t ping or connect with the same. Sir I want to connect with my sister company through VPN because some of our servers installed in my sister company Data Center, but after deploying TMG 2010 I am unable to do that please help me out in this issue I will be thankful to you.

    Regards,
    Arsalan Zia
    IT Officer.

  32. Abid says:

    I’ve configured TMG as an Edge Firewall and after configuring I’m unable to access Internet.
    Following are the configurations I made:
    Internal Network Adapter Settings:
    IP: 192.168.1.2
    Subnet Mask: 255.255.255.0
    Gateway : None
    DNS: 192.168.1.1

    192.168.1.1 is my Domain Controller where I’m also using DHCP.

    External Network Adapter Settings:
    IP: 192.168.0.101
    Subnet Mask: 255.255.255.0
    Gateway: 192.168.0.1
    DNS: None

    After installation, I added Allow Access rule in Firewal Policy to allow DNS from Internal to External but still I’m unable to access Internet.
    Also I can’t ping to Router’s IP (192.168.0.1) from my Internal Network PC’s.
    Please can you guide me step by step that how can I configure it properly so I can use Internet from Internal Network.
    Please guide me

    • In external NIC configure DNS. Create a Firewall rule to access HTTP/HTTPS from internal to external. TMG Console>Monitoring>Add AD, DNS and Web connectivity verifier. Web Connectivity verifier is Gateway IP of the router. by the way Are you able to browse internet from TMG server without proxy settings on IE. if you can try using proxy settings
      Configure proxy in IE of client and browse Internet.

      • Abid says:

        I also added DNS entry in External Network Adapter & Firewall Rules were created before. DNS access rule is also there from Internal to External, alongwith HTTP & HTTPS allow rules.
        Active Directory & DNS Server connectivity verifiers is working fine but when I create a Web Connectivity Verifier it shows error.
        Router’s Default Gateway is 192.168.11.2 so I created a Web Connectivity Verifier & added that IP, Group Type: Web (Internet), Verification method: HTTP “Get” request but it gives error.
        Please guide me where things went wrong. What I’ve to do now to fix this internet connectivity issue.

        • do u able to browse internet from TMG server? HTTP/HTTPS allow for All Users if you ad for selected users/groups than add yourself in that group? what error you getting

          • Abid says:

            Yes I can browse Internet on TMG Server but only if I configure my External Adapter as following:
            IP: 192.168.11.121
            Gateway: 192.168.11.2
            DNS: 192.168.11.2
            If I don’t give DNS, there is no internet browsing on TMG Server, If I give DNS of Router’s IP in my External Adapter, I can access Internet even after configuring TMG Server
            Please guide me what’s the issue & what to do now

  33. Riaz KM says:

    Hello Raihan

    First of all, thanks for the excellent work you are doing. I am totally new to TMG & ISA and I am badly looking for some help. I hope you will be able to help me.
    Scenario
    We are using two CISCO Ironport as our enterprise firewalls.
    Ironport1 IP is 10.230.60.1 (internal range)
    Ironport2 IP is 10.230.60.2 (internal range)
    And we use the following subnets for our LAN
    10.230.60.0 /24 (for all servers); 10.230.61.0; 10.230.62.0; 10.230.63.0; until 10.230.69.0/24. Inter vlan routing is configured so communication between subnets are possible.

    The ironpots are acting as our proxy as well. Some users use 10.230.60.1 as proxy while others use 10.230.60.2. Now we have reached a situation where we need to implement some type of network load balancing so that the requests will be equally distributed between the ironports. Also this will make the internet highly available.

    So we decided to implement TMG2010. But as I said earlier, I have no clue how to configure TMG2010 for web access and NLB. Will you be able to help me with this please ? In this scenario do I need TMG with 2 NIC’s or single NIC will do? I dont need any DMZ.

    Waiting to hear from you soon.

    Thanks

    Riaz

  34. Riaz KM says:

    Hello Raihan, Thanks for the support and the quick reply. I shall try the steps in the link you provided. One small doubt.
    When TMG2010 is to be configured as Edge Firewall then we need 2 NIC’s right. One for internal and one for external. We have a CISCO Ironport which is connected directly to the ISP link. It has an internal address which is in the range of say 10.232.60.1. So how should i configure TMG.
    we are using 10.232.60.0/24 to 10.232.65.0/24. (there is inter vlan routing)
    so which ip should i give to external (with the present setting it has to be in the range of 10.232.60.x and the internal i can give 10.232.61.1

    will it work like this. and how to give the authentication in TMG. Ironport user AD accounts for authentication. pls advice

  35. Riaz KM says:

    Hi Raihan, I want to keep ironport. It will be main firewall. The TMG will be mostly used for the purpose of load balancing. So the issue is now Ironport will be having 2 IP address. One public and one from the internal range. And the TMG also will require 2 IP. Thats where I get confused. How can i specify 2 IP ? Is it necessary that the interface named External of TMG should have an IP which is not included in the internal range. Will it be an issue if I give an IP on the external interface which can be reached from the internal interface (due to intervlan routing). sorry for troubling you and thanks a million for your efforts.

  36. Riaz KM says:

    Dear Raihan, Please can you help me on the above query. Is it possible to send me ur email address so that i can attach a network diagram. Thanks Riaz

  37. Clever Jackson says:

    Hi Raihan,

    Im new user to TMG ,We have installed TMG few months back we have a problem with web protection licence which exipered as we were processing the licence we had to make deny rule that i has to specify all the websites that users are not suppossed to visit and it worked.After licence reinstallation of licence i disabled the rule so that the previous rules can continue working but to my suprize its not working as a result users are accessing evrything.

    • I am certain that you have rule in place that allows everthing. pls go through the rule one by one and check.

      Pls do not apply any rule for All users instead use specific group such as staff or department like Finance Dept

      • Clever Jackson says:

        Hi Raihan,

        i have checked all the rules in the web access policy they are now fine i have remained with just 4 rules
        1.Staff with no access to internet
        2.Staff with limited access to internet
        3.Staff with full access to internet except porny and business defined prohibted websites
        4.Default deny rule
        is this order of rules okay?There is also Firewall policy i have this riles there but there is additional rules for allowing users to access VPN,the other to allow Blackberry server to access internet some of the rules on this side allows all users which i guec is what is killing my web access rules is there a way sort this out without compromising my other settings.

  38. Clever Jackson says:

    Hi Raihan,
    I have managed to sort out the issue of rules i had to redo all the rules ,Im having another problem though I have one application that uses Java its authenticated by TMG but yet it doesnt open up see the log below.

    Allowed Connection S002TMG001001 9/5/2012 5:44:16 PM
    Log type: Web Proxy (Forward)
    Status: 407 Proxy Authentication Required
    Rule: Web Access Policy for Research Users-Rule that user belong
    Source: Internal (22.32.137.118:1835)
    Destination: External (22.32.15.200:443)
    Request: Public IP:443
    Filter information: Req ID: 128406e4; Compression: client=No, server=No, compress rate=0% decompress rate=0%
    Protocol: SSL-tunnel
    User: anonymous
    what could be the issue here…..

  39. Kashif says:

    Hi

    Can you please help me in configuring rules which allow outlook 2010 to send or receive emails from out side mail server like gmail or hotmail, TMG blocks pop, imap , smtp trafic

    Browsing is running ok in clients end on email is not working.
    I have make rule to http, https, DNS, IMAP, POP, SMTP, FROM Internal , localhost to external.

    Please advise.

    Thanks.

    • shakeel shahid says:

      Kashif,

      you have to open outlook application in tmg then your clients will able to send or receive emails using TMG Firewall.

      Regards,

      Shakeel Shahid.

  40. shakeel shahid says:

    Dear sir,
    please help me in tmg2010. i want u to please tell me can i block internet in mobile devices.

    • yes you can. Create a Firewall Access Policy either denying a range of IP Address or User Groups using Mobile devices.

      • shakeel shahid says:

        I have got a query in tmg2010 can u plz help me.

      • shakeel shahid says:

        Hi,

        Really thanks for reply me i wanted to tell you that i am using authentication on my tmg firewall and all my users are firewall client. Now firewall is working fine and internet is stopped on mobiles but some users are using android smart phone in which they can put domain credentials and they can access internet on smartphone. Now my question to you is there any option in TMG that i can make restrictions on OS in which i will block internet for android OS.

        Waiting for your kind response.

        Shakeel Shahid.

  41. navanath says:

    sir,
    can we install tmg server 2010 on windows server 2012?

  42. navanath says:

    can we install tmg server 2010 on windows server 2012?

  43. octavian says:

    I have a problem with live streaming sites on tmg. everything works fine but when I go to a site with live streaming it says: error loading stream: could not connect to server.
    On a pc before tmg live streaming works fine…

    • Create a firewall rule allow the live stream or go to properties of existing http/https allow rule by right clicking, clicking property, click configure http then allow http payload like live streaming allow size of the payload that means MBps or kbps. that should work

      • octavian says:

        it is selected…now i look into log i get this: 12209 Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied and user anonymous it appear…
        I dont’t understand: until i select play on the stream tv (it’s a local television) everything is ok the user is ok when i go for play I get this error with user anonymous…why changes the user?

  44. imad says:

    hi sir please guide me in hyper -v i how can i confiugure vitual switch setting to connect to the internet with my physical laptop wifi and also i dnt have static live ip…please guide me

  45. imad says:

    sir i am practicing of tmg on my laptop using hyper-v…so what configuration i need to do to connet my hyper-v switch to the physical machine wifi adapter in order to get access to the internet as well tmg work for me..
    thanks for your support sir

  46. stefan says:

    dear sir what is the main difference between firewall policy and web-access policy…i am not clear about it…please guide me…i really like your post…

    • As the name suggest firewall and web-policy are two diffirent policy. one for any firewall and publishing of exchange, sharepoint, and website. web access is for publishing
      web access rule, configuring http, https and web inspection, configuring web proxy and web cache. just click each one and see on the tasks pan.

Leave a Reply