Professional Documents
Culture Documents
For information about creating access rules, see Creating an access rule.
For information about creating outbound Web access rules, that is, access from a client
computer to the Internet, see Configuring Web access.
You can use one of the following Forefront TMG rules to publish servers:
Secure Web publishing servers—To publish Secure Sockets Layer (SSL) content.
When Forefront TMG processes an HTTP or HTTPS request from a client, it checks
publishing rules and Web chaining rules to determine whether the request is allowed,
and which server will service the request.
For non-HTTP requests, Forefront TMG checks the network rules and then checks the
publishing rules to determine if the request is allowed.
For information about creating Web publishing rules, see Configuring Web publishing.
For information about creating server publishing rules, see Configuring publishing of
other protocols.
On the Rule Action page, specify whether the rule should allow or deny
access.
On the Users page, select whether requests for the rule must be
authenticated. For anonymous access, leave the default All Users
setting. To specify that the rule will only apply to a particular group of
users, click Add, and then select either the predefined user sets or
create a custom user set.
These best practices will help you create a firewall policy that results in the policy
behaviors you want and provide security benefits, and they can help you boost the
performance of your Forefront TMG deployment.
Protocol definitions
Schedules
Rules that use these elements should be placed at the top of the rule list.
Complex Rule Elements
The following rule elements require additional networking information and therefore
are evaluated more slowly:
Content type
Rules that contain such elements should be placed at the bottom of the rule list.
1. Global deny rules. Rules that deny specific access to all users. These rules
should use the rule elements that require simple networking information. An
example of such a rule would be a rule that denies all users access from
anywhere to anywhere on protocols used for peer-to-peer file sharing.
2. Global allow rules. Rules that allow specific access to all users. These rules
should use the rule elements that require simple networking information. An
example of this would be a rule allowing access on the DNS protocol from the
Internal network to the External network.
3. Rules for specific computers. Rules that allow or deny access for specific
computers, for example, a rule allowing UNIX computers access to the Internet.
4. Rules for specific users, URLs, and MIME types, and also publishing
rules. Rules that contain rule elements that require additional networking
information and that enforce policy for specific users, or for specific URLs or
Multipurpose Internet Mail Extensions (MIME) types. Publishing rules should
also occur at this point in the rule order.
5. Other allow rules. Rules that handle traffic that does not match rules that
occur previously in the list of rules, assuming the traffic is allowed by your
corporate policy. For example, a rule allowing all traffic from the Internal
network to the Internet.
Note:
Server publishing and Web publishing rules can be placed anywhere in the rule
order after global allow or deny rules.
Forefront TMG drops traffic from unauthenticated users after rules based on user sets,
to preclude the bypassing by unauthenticated users of the rules based on user sets.
Note:
Forefront TMG can only try to match authenticated users against rules that require
client membership in a user set. Authenticated users include Firewall clients,
virtual private network (VPN) clients, and authenticated Web clients.
Use IP Addresses
Where possible, use IP addresses rather than DNS names in your firewall policies. This
reduces the reliance of Forefront TMG on the DNS servers, and this results in better
performance. However, be aware that in some situations, you will not achieve the
desired behavior by using IP addresses. For example, if you are trying to deny access
to a site and the site’s IP address is assigned dynamically, or if the site has more than
one IP address, blocking an IP address does not block the site reliably. In this case,
you should use the fully qualified domain name (FQDN) to block the site. For extra
reliability, you can use both IP addresses and FQDNs in a rule. Note that you have to
create separate rule elements for the IP addresses and for the FQDNs. When you use
IP addresses and FQDNs in a single rule, the Forefront TMG rule engine first evaluates
the request using the IP addresses, so that if there is a match, there is no need to try
to resolve the FQDN to an IP address. This improves the efficiency of the rule. For
examples of how Forefront TMG evaluates names and IP addresses in HTTP requests,
see Name Evaluation in this document.
Use Fully Qualified Domain Names for URL Sets and Domain Name Sets
Use fully qualified domain names (FQDN) in domain name sets and URL sets.
For examples of how Forefront TMG evaluates URLs and IP addresses in HTTP
requests, see Name Evaluation in this document.
User Authentication and Performance
When a rule requires user authentication, it must rely on connectivity to and speed of
the authenticating server, such as the domain controller or Remote Authentication
Dial-In User Service (RADIUS) server. The authentication process can affect the
performance of Forefront TMG. We therefore recommend that rules requiring
authentication be placed near the bottom of the list of rules (assuming that this
conforms to your policy design), so that only traffic that is not matched by an earlier
rule will encounter the authenticating rule.
Note:
You can use Forefront TMG connectivity verifiers to monitor connectivity with
various servers. Connectivity verifiers are described in Forefront TMG Help.
Protocol Definitions
Do not create protocol definitions that duplicate or overlap existing protocol definitions.
This can lead to unexpected behavior. For example, you may create a rule that allows
all traffic except for a specific protocol, and you may find that the traffic you meant to
deny on that protocol is actually allowed because there is a similar protocol defined.
We recommend that you check the list of existing protocols carefully before you define
additional protocols.
Note:
In this scenario, on the Web proxy tab for the user network, after you click
Authentication, you should not select Require all users to authenticate,
because this will also block access to Windows Update.
Name Evaluation
When a client makes an HTTP request, it may be a name, an FQDN, or an IP address.
This topic provides examples of how Forefront TMG handles these requests.
Name: www.fabrikam.com
FQDN: fabrikam.com
IP addresses: 207.46.250.119, 207.46.130.108
If an HTTP request uses an IP address, Forefront TMG first checks the rules to see if a
rule matches that IP address. During this process, if Forefront TMG encounters a rule
that requires a name, it performs reverse name resolution to obtain the FQDN for that
IP address. Forefront TMG can then compare the FQDN to the access rule definitions.
If the reverse name resolution fails, only the original IP address in the request is used
in comparison to the rule definitions.
Note:
In the case of a SecureNAT client requesting a site by name, Forefront TMG first
verifies that the host header content is not masking an unrelated IP address
requested by the client. If this verification succeeds, the process continues as it
would for a Web Proxy client.
Configuring VoIP
Updated: February 1, 2010
Applies To: Forefront Threat Management Gateway (TMG)
The following topics provide information on:
Configuring access for VoIP—How to create access rules which allow Voice over IP
(VoIP) over Forefront TMG.
Configuring advanced VoIP settings—How to configure VoIP settings which allow clients
on the Internal network to receive and send calls through the Internet Protocol Private
Branch Exchange (IP PBX) system.
Configuring access for VoIP
Allow SIP traffic between phones and IP PBX—Enables SIP traffic from the
internal phones to reach the external PBX.
Allow RTP traffic to External network—Enables media traffic from the internal
phones to reach the external network.
Allow RTP traffic between phones—Enables media traffic between the internal
phones.
4. Follow the steps in the wizard to specify the location of the external IP PBX
(your ITSP will typically provide you with a DNS name), and specify the network
addresses of the phones that will be used for SIP traffic.
5. The completion page details the Forefront TMG policy rules that will be created.
The rules specify the source and destination by which the specified traffic is
allowed.
Use this configuration when you use an internal IP PBX and the PSTN for external calls.
In this case, you need an SIP gateway that converts calls between the IP network and
PSTN. This VoIP configuration adds the following rules:
Allow RTP traffic to SIP gateway—Enables media (RTP) traffic from the internal
phones and IP PBX to reach the SIP gateway.
Allow RTP to internal IP PBX—Enables media (RTP) traffic from the internal
phones and SIP gateway to reach the IP PBX.
Allow RTP traffic to Phones—Enables media (RTP) traffic from the IP PBX and
SIP gateway to reach the IP phones.
Allow SIP traffic SIP IP PBX and internal SIP components—Enables SIP traffic
between the IP phones, IP PBX, and SIP gateway.
5. Follow the steps in the wizard to specify the location of the SIP gateway, the IP
address of the internal PBX, and specify the network addresses of the internal
IP phones.
6. The completion page details the Forefront TMG policy rules that will be created.
The rules specify the source and destination by which the specified traffic is
allowed.
Use this configuration when you use an internal IP PBX and a SIP trunk between your
IP PBX and the ITSP for external calls. This VoIP configuration adds the following rules:
Allow RTP traffic to internal IP PBX—Enables media (RTP) traffic from the
internal phones to reach the IP PBX, that is, the internal SIP Proxy.
Allow RTP traffic to phones—Enables media (RTP) traffic from the IP PBX to
reach the IP phones.
Allow RTP traffic to External network—Enables media (RTP) traffic from the
internal phones and IP PBX to reach the external network.
Allow SIP traffic between internal IP PBX and external IP PBX —Enables SIP
from the internal IP PBX to reach the external IP PBX.
Allow SIP between internal SIP components—Enables SIP between the IP
phones and the IP PBX.
Publish internal IP PBX to the External network—Allows traffic from the external
IP PBX to reach the internal IP PBX.
5. Follow the steps in the wizard to specify the IP address of the internal PBX, the
location of the external IP PBX (your ITSP will typically provide you with a DNS
name), and specify the network addresses of the internal IP phones.
6. The completion page details the Forefront TMG policy rules that will be created.
The rules specify the source and destination by which the specified traffic is
allowed.
Use this configuration when you use an internal IP PBX and a hosted PBX. This VoIP
configuration adds the following rules:
Allow RTP traffic to internal IP PBX—Enables media (RTP) traffic from the
internal phones to reach the IP PBX, that is, the internal SIP Proxy.
Allow RTP traffic to phones—Enables media (RTP) traffic from the IP PBX to
reach the IP phones.
Allow RTP traffic to External network—Enables media (RTP) traffic from the
internal phones and IP PBX to reach the external network.
Allow SIP traffic between internal IP PBX and external IP PBX—Enables SIP from
the internal IP PBX to reach the external IP PBX.
Allow SIP traffic between the SIP IP PBX and internal SIP components—Enables
SIP between the internal SIP components and the SIP IP PBX.
To configure an internal IP PBX with an external (hosted) IP PBX
1. On the Forefront TMG server, click the Firewall Policy node.
5. Follow the steps in the wizard to specify the IP address of the internal PBX, the
location of the external IP PBX (your ITSP will typically provide you with a DNS
name), and specify the network addresses of the internal IP phones.
6. The completion page details the Forefront TMG policy rules that will be created.
The rules specify the source and destination by which the specified traffic is
allowed.
1. Use the Web Access Policy wizard to create a basic Web access policy. This
basic policy provides anonymous access for internal users to all Web
destinations, except for those Web destinations that you select. You can use
predefined URL categories to filter out the types of Web destinations you do not
want your users to access. You can also designate users or user sets to whom
these blocks do not apply. The wizard also allows you to enable protection
technologies for Web-based threats.
2. After completing the Web Access Policy wizard, you can fine-tune the Web
access policy by editing the properties of the Web access rules. Among other
things, you can force users to authenticate before granting them access to the
Web, set up different access rules for different users, control the times when
they can access the Web, and what file types they can download.
The following topics describe how to enable and configure Web access in your
organization:
Enabling caching
Configuring remote client VPN access—Describes how to allow users who work
remotely to connect to the corporate network over the Internet with high
security.
http://technet.microsoft.com/en-us/library/dd897034.aspx
http://technet.microsoft.com/en-us/library/bb838876.aspx
Configuring publishing
Updated: February 1, 2010
Applies To: Forefront Threat Management Gateway (TMG)
The following topics provide information about configuring publishing in Forefront TMG:
http://technet.microsoft.com/en-us/library/dd441032.aspx
http://technet.microsoft.com/en-us/library/cc441546.aspx
Note:
For more information about these protections, see Protection design guide for
Forefront TMG.
http://technet.microsoft.com/en-us/library/dd441054.aspx
http://technet.microsoft.com/en-us/library/cc441452.aspx
Configuring alerts
Track activity by monitoring current sessions for Forefront TMG Clients, Web
proxy clients, and SecureNAT clients. For instructions, see Monitoring client
sessions.
Check the current state of the system by monitoring alerts that have been
issued, as well as the status of services. For more information, see Monitoring
alerts.
Monitor traffic status by using performance counters. For details, see Monitoring
performance.
Web Logs traffic handled by the Web proxy Enabled by default to log
proxy filter into the SQL Express
log database on the local
computer.
Maintenance method:
Delete files as necessary
Log The log queue is used to temporarily store By default the log queue is
queue log entries when they cannot be stored in the ISALogs folder
formatted. This may occur when log of the Forefront TMG
entries are generated faster than they can installation folder.
be formatted, or there is no connectivity
to a remote SQL Server database.
Alerts The alerts service notifies you when All log-related alerts are
specific events occur. enabled by default
The following topics provide information that can help you configure and maintain logs
and run log queries:
Enabling logging
Cache ratio.
Security monitoring. For example, you can generate reports that track malicious
attempts to access internal resources. Similarly, by tracking the number of
connections to a published server or the traffic to the server, you might identify
an attempt at denial of service.
Malware activity.
URL filtering.
Recurring report jobs. You can schedule automated reports on a daily, weekly,
or monthly basis. The time periods available for these reports are more
structured than those of one-time reports; a report that is generated every day
will show a day's activity, and a report that is generated once a month will show
exactly a month's activity.
Note:
Reports contain activity from the previous day and earlier.
Forefront TMG provides predefined report categories and subcategories. These reports
can be customized.
Reporting mechanism
Forefront TMG reports are based on log summaries derived from the Web Proxy and
Firewall logs. Using SQL Server reporting services, Forefront TMG generates two types
of log summaries, daily and monthly, which all reports are based on. Log summaries
are generated at night (by default at 12:30am), however this time is configurable.
The following topics provide information that can help you configure reports:
Creating reports
Viewing reports
Customizing reports
3. On the Category Query tab, type a URL or IP address, and then click Query.
The result of the category is displayed on the tab, as well as some insight as to
the source of the categorization, such as by override, IP address, or URL alias.
Note:
Each URL must include a host name, and may include a path, query string,
escaped characters (such as “%20” to represent a space) and a protocol (such as
HTTP://). For example, http://www.contoso.com/training/.
Note:
Each URL must include a host name and a path, and may include a
query string and escaped characters (such as “%20” to represent a space).
5. Under Move URL pattern to this category, select a new URL category.
6. Click OK. The URL Categories Override dialog closes. Click OK again and
then on the Apply Changes bar, click Apply.
Before you start the backup or restore process, make sure you read the information
provided in Planning for backup and restore.
http://technet.microsoft.com/en-us/library/bb794815.aspx
Note:
The export process does not back up Secure Sockets Layer (SSL)
certificates. For information about how to back up SSL certificates, see About
backing up SSL certificates.
5. In Save this data in this file, specify the folder in which the export file will be
saved, and the file name.
3. Select the file that you saved when you exported the configuration.
6. If you exported confidential information, enter the password that you specified
when you exported the file.
Array configuration settings, which are relevant for, and are shared by, all
members of the array.
Note:
Note:
The export process does not back up Secure Sockets Layer (SSL)
certificates. For information about how to back up SSL certificates, see About
backing up SSL certificates.
5. In Save this data in this file, specify the folder in which the export file will be
saved, and the file name.
3. Select the file that you saved when you exported the configuration.
7. If you exported confidential information, enter the password that you specified
when you exported the file.
Note:
In the details pane, right-click the applicable rule, and then click Export
Selected.
In the Toolbox pane, right-click the required rule element, and then click
Export Selected.
In the Toolbox pane, right-click the required rule elements, and then
click Export All.
In the details pane, right-click the applicable rule, and then click Import
to Selected.
Note:
In the Toolbox pane, right-click the required rule element, and then click
Import All.
4. Select the file that you saved when you exported the configuration settings.
6. If you exported confidential information, enter the password that you specified
when you exported the file.
Note:
Unsupported Configurations
http://technet.microsoft.com/en-us/library/dd897100.aspx
Tracking configuration changes
User—The user name of the person who made the configuration change.
You can configure the following for the change tracking feature:
Note:
5. To specify a maximum number of entries for the change tracking log, in the
Limit number of entries to box, enter the required number. It is
recommended that you do not configure a limit of more than 10,000, as this
may affect performance.
Note:
When the maximum number of entries is reached, the earliest entries are
overwritten.
6. To view the entry in the configuration change tracking output, click Apply.
2. Before applying the change and change description, you can create a backup of
the existing configuration by exporting the configuration. To open the Export
Wizard, click Export. For Enterprise Edition, export backs up the entire
enterprise.
3. Click Apply. The required configuration change is saved, and the description is
applied to the change.
4. When the Saving Configuration Changes status dialog box appears, click
OK. The configuration changes are recorded to the change tracking output.
Filter options are accessible at the top of the Change Tracking tab. You can filter the
entries by user name and by content. You can also use the short key CTRL+F to search
for entries.
To search for an entry
1. In the User name contains box, enter the name of the user who performed
the configuration change.
Note:
4. To display more details, you can expand each entry in the output.
Important:
The traffic simulator checks rules only on the basis of what is allowed or denied by
the firewall engine. The traffic simulator is not aware of traffic that is blocked or
allowed based on application filter settings, or HTTP filtering, which means that
even if simulated traffic is allowed, real traffic may be blocked by a filter.
The following describes how to configure the traffic simulator, and how to simulate
traffic scenarios.
Configuring the traffic simulator
The following lists the different firewall policy scenarios that can be simulated:
The results of the simulation for the configuration properties of the policy rules appear
at the bottom of the screen. You can check any of the setting details in the following
list to evaluate the cause of any network issues.
Setting Description
Rule Name Displays the name of the policy rule used by the request.
Rule Order Displays the order number of the rule. Rule ordering numbers
are displayed in the details pane of the Firewall Policy node
in Forefront TMG Management.
From Displays the source network from which the traffic is initiated.
Rule Application Used by the application filter types defined in the published
Filters rule.
To run the traffic simulation, you must first configure the traffic scenario settings. The
following procedures describe how to simulate traffic:
5. In Destination Parameters, in the URL box, type the URL address of the
target site. If the rule is configured to apply to any domain, you can specify an
IP address or a URL.
6. In Server, select the server from which you are running the traffic simulator.
8. Click Start.
3. In the IP address box, enter the network IP address of the source server.
5. In Server, select the server from which you are running the traffic simulator.
7. Click Start.
Note:
The URL is the one published by Forefront TMG. The URL is specified on the Public
Name tab. Forefront TMG must be able to resolve it to its external IP address;
otherwise the simulation fails.
5. In Server, select the server from which you are running the traffic simulator.
7. Click Start.
4. In Server, select the server from which you are running the traffic simulator.
6. Click Start.
Tip:
Tip:
It is recommended that you back up the registry before making any changes.
2. Navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RAT\Stingray\Debug\S
ETUP.
Troubleshooting NIS
For a description of Forefront TMG Web access protection, see the Forefront TMG
secure Web gateway solution guide.
http://technet.microsoft.com/en-us/library/ff358613.aspx
Unsupported Configurations
Installation issues
This section describes the following installation issues, their causes, and solutions:
In-place upgrade from ISA Server 2004/2006 to Forefront TMG is not supported
In-place upgrade from Windows Server 2008 SP2 to Windows Server 2008 R2 is
not supported
Cause: Forefront TMG firewall or EMS role will not install or run on a 32-bit operating
system. Only the Forefront TMG Management console can be installed on a 32-bit
operating system (Windows Server 2008 R2, Windows Server 2008 SP2, Windows 7, or
Windows Vista SP1).
Solution: Install Forefront TMG on a 64-bit version of Windows Server 2008 SP2 or
Windows Server 2008 R2. For more detailed information on installation requirements,
see System requirements for Forefront TMG.
Cause: Forefront TMG or Forefront TMG EMS will not install or run on Windows Server
2003.
Solution: Install Forefront TMG on a 64-bit version of Windows Server 2008 SP2 or
Windows Server 2008 R2. For more detailed information on installation requirements,
see System requirements for Forefront TMG.
Cause: The table below summarizes the editions of Windows Server 2008 that are
supported.
Windows Server 2008
Solution: Install Forefront TMG on a 64-bit version of Windows Server 2008 SP2 or
Windows Server 2008 R2 taking the above information into consideration. For more
detailed information on installation requirements, see System requirements for
Forefront TMG.
Cause: Running both Forefront TMG and an EMS from the same computer is not
supported.
Solution: No workaround.
Cause: Forefront TMG cannot be installed on the same operating system (Windows
Server 2003) on which ISA Server runs, so in-place upgrade is not possible.
See Migrating from ISA Server 2004/2006 to Forefront TMG for more detailed
information.
In-place upgrade from Windows Server 2008 SP2 to Windows Server 2008 R2
is not supported
Issue: Upgrading from Windows Server 2008 SP2 to Windows Server 2008 R2 is not
supported.
Cause: Forefront TMG does not support upgrading to Windows 2008 R2 while
Forefront TMG is installed.
Warning:
Uninstalling Forefront TMG, and then upgrading to Windows 2008 R2, is also not
supported.
Forefront TMG installed on a domain controller is not supported
Issue: Installing Forefront TMG or Forefront TMG EMS on a computer configured as an
Active Directory domain controller is not supported.
Note:
Cause: The following table summarizes the operating system support for Forefront
TMG Client and other Firewall client software.
Forefront Firewall Firewall Firewall
TMG Client Client 2006 Client 2004 Client 2000
Solution: Install the Forefront TMG Client software on a supported operating system.
Cause: The following table summarizes the support between Forefront TMG, ISA
Server and their Clients.
Forefront ISA Server ISA Server ISA Server
TMG 2006 2004 2000
Solution: Deploy a supported Client. It is recommended that you use Forefront TMG
Clients together with Forefront TMG for best performance and added functionality.
Cause: Certain features are not supported when Forefront TMG is deployed within a
workgroup environment, as follows:
Note:
A number of antivirus products may also install some firewall components, such as
worm protection, which can result in unpredictable behavior.
Array issues
This section describes the following Forefront TMG array issues, their causes, and
solutions:
Forefront TMG and ISA Server cannot coexist in the same enterprise or array
Cause: All the Forefront TMG servers in an array must have the same operating
system, either Windows Server 2008 SP2 or Windows Server 2008 R2. This is
especially significant when performing upgrading the array to Window Server 2008 R2.
Solution: You must build a new array and then migrate each Forefront TMG server to
the new array (after each one completes the Windows Server 2008 R2 and then
Forefront TMG installations).
Forefront TMG and ISA Server cannot coexist in the same enterprise or array
Issue: Forefront TMG and ISA Server cannot operate as members of the same array
or enterprise.
Cause: Forefront TMG and ISA Server require different configuration schema and
settings, and cannot be simultaneously controlled by a single array manager.
Solution: No workaround.
Cause: Firewall chaining has been deprecated and is no longer supported by Forefront
TMG.
ISP redundancy does not support more than two external interfaces
Forefront TMG does not support more than two default gateways
Cause: Forefront TMG can support only two external connections with the ISP
Redundancy feature.
Forefront TMG does not support more than two default gateways
Issue: No support for more than two default gateways.
Cause: Forefront TMG does not support more than two default gateways configured on
the same network adapter (within different subnets), or on two different adapters (one
default gateway per adapter). Using more than one default gateway is only supported
for the ISP Redundancy feature.
Solution: To enable ISP redundancy, set the default gateway on each of the Forefront
TMG network adapters to a different ISP. If only one network adapter is available, it is
possible to set two default gateways, as long as each default gateway is in a different
subnet.
Cause: Windows Server 2008 does not support multiple default gateways in DHCP-
assigned links.
Solution: Manually add both default gateways to the routing table on Forefront TMG.
Cause: The ISP redundancy feature requires a NAT relationship with the external
network in order to fail over the connection to an alternate ISP. SMTP listeners on the
external NIC cannot take advantage of the ISP redundancy functionality as there is no
address translation in mail traffic.
Solution: No solution. To take advantage of the ISP redundancy functionality, use the
SMTP publishing feature to publish the internal SMTP servers.
Protocol-based load balancing is not supported with the ISP redundancy
feature
Issue: Forefront TMG cannot distribute traffic based on the protocol that is used (for
example, HTTP through one link and SMTP through the other).
Cause: Protocol-based load balancing is not supported with the ISP redundancy
feature.
Solution: No workaround.
Forefront TMG does not support defining networks that represent remote
subnets
Domain names that include wildcard characters are not supported with link
translation enabled
Forefront TMG does not support defining separate network objects that
represent remote subnets
Issue: Forefront TMG does not support defining separate network objects that
represent remote subnets.
Cause: When you define IP address ranges for a network, Forefront TMG checks all
network adapters. When Forefront TMG finds an adapter with an IP address in the
network range, it associates the network with that adapter. When a network includes
remote subnets accessible by Forefront TMG through routers, the IP address of the
remote subnets should be included in the network definition. If you define a separate
network object for a remote subnet (instead of including it in the network definition),
Forefront TMG tries to locate an adapter with an IP address of the network object, and
fails. Forefront TMG assumes that the adapter is not available (disconnected or
disabled), and sets network status to disconnected.
Solution: For best practice when defining your network configuration in Forefront
TMG, take note of the following:
Include all network ranges for subnets in a network object’s properties (for
example, include subnet IP addresses in the IP address range for the internal
network).
Apply rules to specific subnets by creating subnet objects in the Toolbox, and
then using these subnet objects to specify the source and destination in access
rules.
Cause: There may be some circumstances in which you want to allow communication
between domains or domain members that are separated by Forefront TMG. Typical
scenarios include:
A Web server located in the perimeter network that is a member of the internal
domain needs to contact the domain controller in the internal network.
Create routes on internal devices so that traffic destined for other networks is
routed through Forefront TMG. This is done either on the clients themselves,
where they are on the same subnet as Forefront TMG, or on the relevant router
in your network infrastructure.
If you want to support requests from SecureNAT clients, specify the Forefront
TMG interface as the default route for those clients.
Solution: No workaround.
Domain names that include wildcard characters are not supported with link
translation enabled
Issue: Forefront TMG does not support the use of wildcard characters in the domain
name when link translation is enabled; for example, *.microsoft.com is not permitted.
Cause: When link translation is enabled, the rule must specify an explicit public
domain name. Domain names including wildcard characters are therefore not allowed.
Disable link translation on the Link Translation tab of the Web publishing rule
properties.
In the Public Name tab, specify each Web site to which the rule will apply,
rather than using a wildcard. For example, use www.microsoft.com and
mail.microsoft.com, not *.microsoft.com.
Cause: In single network adapter mode, Forefront TMG recognizes itself as the Local
Host network, and everything else is recognized as the internal network. There is no
concept of an external network.
Solution: Redeploy Forefront TMG with at least 2 network cards using the Edge, Back
Firewall or 3-leg perimeter network topology design. For more information, see the
topics: Planning Forefront TMG network topology and About single network adapter
topology.
Solution: No workaround.
Dial-Up issues
This section describes the following dial-up issues, their causes, and solutions:
Cause: Remote access settings must be specified using Forefront TMG Management.
Any demand-dial interfaces created or modified using Routing and Remote Access that
do not match networks in Forefront TMG are overwritten and deleted by Forefront
TMG. Note the following limitations when creating demand-dial interfaces using the
VPN Wizard:
Forefront TMG does not allow you to disable or enable specific services or
network components on a specific VPN interface.
You cannot configure the number of redial attempts that the VPN connection
makes.
Solution: For more information about solutions, see Knowledge Base article KB842639
(http://go.microsoft.com/fwlink/?linkid=51103).
1: You can only configure automatic dialing for a non-VPN dial-up connection on one
network.
Solution: If automatic dialing is used to connect directly to the Internet, select the
external network for the automatic dial-up connection. You can also configure
automatic dialing to connect to a branch office, or to a specific location in your
organization.
2: Forefront TMG does not support customized routes. For example, if Forefront TMG
dials a non-VPN connection to a remote network that is not the default gateway, this
requires a custom route to the remote network. Forefront TMG overwrites Routing and
Remote Access settings with its own settings. Forefront TMG creates and controls
Point-to-Point Tunneling Protocol (PPTP) over Layer Two Tunneling Protocol (L2TP)
interfaces, overwriting changes made in Routing and Remote Access. If modem
connections are created in Routing and Remote Access, Forefront TMG deletes them.
Solution: You can use Routing and Remote Access to add a demand-dial interface for
the connection and create a static route for the connection.
3: Forefront TMG uses the local domain table (LDT) to determine whether a request is
to an internal computer (in the LDT) and whether dialing out is required. There may be
an issue with connections being constantly dialed if clients make a dial-up request for a
URL that is not defined in the LDT.
Solution: You can control whether the dial-up connection is dialed for DNS purposes.
For more information, see Knowledge Base article KB901109
(http://go.microsoft.com/fwlink/?linkid=54622).
Load balancing is not supported with Forefront TMG Clients or ISA Firewall
Clients
Solution: No workaround. To obtain support for NLB with Forefront TMG you must use
the Enterprise version.
Load balancing is not supported with Forefront TMG Clients or ISA Firewall
Clients
Issue: Client machines running Forefront TMG Clients or ISA Firewall Clients may have
issues connecting to an array of Forefront TMG servers with any type of load balancing
configured on the related Forefront TMG network.
Cause: Load balancing (either integrated or using an external load balancer) is not
supported together with Forefront TMG Clients or ISA Firewall Clients.
Solution: Instead of using a load balancer, use DNS round robin to point the clients to
the Forefront TMG array member’s dedicated IP addresses.
VPN issues
This section describes the following virtual private network (VPN) issues, their causes,
and solutions:
DHCP address allocation for VPN remote clients not supported in a Forefront
TMG array
DHCP address allocation for VPN remote clients not supported in a Forefront
TMG array
Issue: Using a Dynamic Host Configuration Protocol (DHCP) server to assign IP
addresses for VPN remote clients is only available in a single server Forefront TMG
array.
Cause: This option is only available in Forefront TMG Standard Edition, or in Forefront
TMG Enterprise Edition with a single array member. This limitation applies when an
array consists of more than one member and NLB is disabled, because there is no way
to guarantee DHCP address allocation across the array members.
Solution: Use static pool address assignment whenever there are multiple array
members.
Cause: Forefront TMG does not support IP filters defined by Network Policy Server
(NPS) policies.
Cause: You select Enable User Mapping to map VPN remote users connecting with
non-Active Directory service credentials (such as a RADIUS user) to Windows
accounts. This feature enables you to apply access rules that use Windows groups and
users to apply to other users. When RADIUS is authenticated with CHAP, MS-CHAP,
MS-CHAP version 2, or any type of EAP, the domain specified in the user mapping is
used to match the VPN client to a mirrored Active Directory account. When PAP or
SPAP is used, the domain name is always ignored, and the VPN client can be matched
to an Active Directory account in the local domain in which Forefront TMG is a domain
member, or to a local user account on the Forefront TMG computer in a workgroup
configuration.
Solution: To use CHAP, MS-CHAP, MS-CHAP version 2, or EAP, make Forefront TMG a
domain member.
When Forefront TMG is configured as a VPN server that uses the L2TP/IPsec
protocol, traffic to and from the L2TP protocol port (UDP port 1701) is secured
by IPsec.
With these default settings, the outbound L2TP client request is sent from the NAT
address (usually the address of the Forefront TMG external network adapter) and the
external VPN server responds to this address. Forefront TMG does not forward the
L2TP traffic from the external VPN server to the client because no matching IPsec
policy exists.
Solution: Use PPTP for outbound VPN connections, or do not use the L2TP/IPsec
protocol when Forefront TMG is configured as a VPN server.
Publishing issues
This section describes the following publishing issues, their causes, and solutions:
Cause: Customizing the existing functionality of Forefront TMG HTML pages (for
example, changing the error messages or using a custom logo) is encouraged and
supported. However, the degree that any HTML page can be customized is very
extensive, so any customization to Forefront TMG HTML pages with the intention to
add additional functionality, which goes beyond the scope of intended use, is not
supported.
Solution: If issues arise as a result of such customization of the Forefront TMG HTML
pages, the original files should be restored. For more information on what
customization is supported and how to implement the changes, see the topics
Customizing HTML forms and Customizing HTML error messages in Forefront TMG.
Note:
If you listen for Web requests on port 81, and the Web publishing rule for
www.contoso.com sends requests to domain.site.internal, which is listening on
port 80, the host header sent to domain.site.internal will be
www.contoso.com:81.
This behavior may be an issue where Web applications build links that are dynamically
based on the host header.
Cause: This is by design for the link translation functionality of Forefront TMG.
Disable the option to forward the original host header to the server, and enable
link translation (without making any addition to the dictionary). In this case,
the server will build links according to the internal name. Forefront TMG will use
link translation to translate all internal links to the external name (including the
port number).
Solution: To publish multiple SSL sites using the same IP address and port (listener),
where all sites published use the same domain namespace, you can use a wildcard
character certificate or a SAN certificate. For example, to publish sites OWA, WebSite1,
and WebSite2 at contoso.com, you can acquire a wildcard character certificate
(*.contoso.com) for Forefront TMG. Note that Forefront TMG only supports wildcard
character certificates that are located on the Forefront TMG itself. In an HTTPS-to-
HTTPS bridging scenario, you cannot use a wildcard character certificate to
authenticate to the back-end Web server.
Forefront TMG does not support SIP traffic from an OCS server
WCCP, ICP and ICAP protocols are not supported in Forefront TMG
Cause: The RPC filter cannot inspect RPC over HTTP traffic because:
Forefront TMG application filters cannot be chained to each other and Web
filters cannot pass traffic to application filters.
The RPC filter expects RPC communications to begin on the RPC endpoint
mapper (TCP:135), and so it cannot protect against RPC exploits reaching an
Exchange server.
Note:
2. NIS inspection still recognizes RPC within HTTP and performs behavioral
and vulnerability filtering of the RPC traffic.
Solution: No workaround.
Forefront TMG does not support SIP traffic from an OCS server
Issue: Office Communicator SIP calls from an OCS server cannot pass through the
Forefront TMG SIP filter.
Cause: OCS uses TLS for SIP traffic. The SIP filter in Forefront TMG cannot parse the
TLS traffic.
Solution: No workaround. Solutions for OCS are provided by Security and Compliance
Partners (http://go.microsoft.com/fwlink/?LinkId=179985).
CNG certificates.
Solution: To bypass a limitation, you must exclude the specific site from HTTPS
inspection.
Add the site to the Destination Exceptions list for malware inspection settings.
Create an access rule that allows traffic to the selected destinations and does not apply
malware inspection.
Cause: Secure FTP uses an encrypted control channel between the FTP client and
server. After the FTP client and server establish an encrypted control channel, the
Forefront TMG FTP filter cannot see the FTP commands and so cannot create the
dynamic policy changes that are necessary to fully support FTP communications.
Web Proxy client FTP requests are passed over HTTP, and do not allow any
action that would change the content or structure of the FTP server. Therefore
you cannot use FTP upload from a Web Proxy client, and only FTP downloads
are supported.
Solution: There is no workaround for these limitations at this time. For more
information about troubleshooting outgoing FTP access, see Troubleshooting Outbound
FTP (http://go.microsoft.com/fwlink/?LinkId=88856).
Solution: No workaround.
Cause: RIS uses Trivial File Transfer Protocol (TFTP). Forefront TMG has a predefined
protocol for TFTP, with a secondary connection defined as all User Datagram Protocol
(UDP) ports, but this will only work when the Forefront TMG Client is installed on the
client computer.
Open the complete range of UDP ports from the client to the TFTP server.
Open the complete range of UDP ports from the TFTP server to the client.
For example, if a hardware virtualization platform is listed as ”validated” with the SVVP
(not “under evaluation”), Forefront TMG will be supported for production use on that
platform within the limits prescribed in the Microsoft Product Support Lifecycle, non-
Microsoft hardware virtualization policies, and the system requirements for that
product version and edition.
For hardware virtualization platforms not listed with the SVVP, Forefront TMG is
supported in accordance with remaining Microsoft support policies, limited as follows:
Tip:
For more information and best practices on edge virtualization, read Security
Considerations with Forefront Edge Virtual Deployments
(http://go.microsoft.com/fwlink/?LinkId=178740).
Forefront TMG does not support IPv6 traffic
Issue: IPv6 traffic is not supported by Forefront TMG (except for DirectAccess).
Cause: Filtering of IPv6 traffic is not supported, and all IPv6 traffic is blocked by
default.
Solution: It is recommended that you disable IPv6 traffic on the Forefront TMG
computer or array members. To disable the IPv6 stack on the Forefront TMG computer
or array member, see Knowledge Base article KB929852
(http://go.microsoft.com/fwlink/?LinkId=179983).
WCCP, ICP and ICAP protocols are not supported in Forefront TMG
Issue: The Web Cache Communication Protocol (WCCP), the Internet Cache Protocol
(ICP), and the Internet Cache Adaption Protocol (ICAP), are not supported in Forefront
TMG.
Solution: No workaround.
Authentication issues
This section describes the following authentication issues, their causes, and solutions:
Web Proxy SSL Connections are only supported for chained proxy connections
Solution: For details on this behavior and workarounds, see the following Knowledge
Base articles:
KB883285 (http://go.microsoft.com/fwlink/?linkid=54626).
KB810561 (http://go.microsoft.com/fwlink/?linkid=54627).
You configure a downstream Forefront TMG that does not require authentication
(anonymous).
Cause: When the upstream Forefront TMG requests authentication, the client
computer obtains a Kerberos ticket for the downstream server. This Kerberos ticket is
valid for authentication with the downstream Forefront TMG. This ticket cannot be used
to authenticate with the upstream Forefront TMG. When the Kerberos ticket is
presented to the upstream Forefront TMG, the upstream Forefront TMG cannot validate
the ticket, causing authentication to fail.
Solution: Deploy Kerberos authentication with this limitation in mind, or configure the
upstream Forefront TMG server to only use NTLM authentication (accomplished by
running the script given in KB927265 (http://go.microsoft.com/fwlink/?
LinkId=180368))
Web Proxy SSL connections are only supported for chained proxy connections
Issue: A Web Proxy client application is not supported with the SSL Web proxy
listener.
Cause: This listener is designed for use in Web-chained configuration when Basic
delegation is used to prevent credentials sniffing. Web proxy clients may be configured
to use and authenticate to this listener, but CERN proxy SSL connections cannot be
established through it, because they cannot establish more than one SSL session on a
TCP connection.
Cause: Forefront TMG can only use a computer account for rule authentication under
specific circumstances. Forefront TMG evaluates authentication conditions for a rule
from the settings on the Users tab of that rule, and identifies the computer originating
a request on the From tab. A rule is evaluated and applied if all the rule's conditions
are met. Within a particular tab, a rule is applied if any of the conditions are met. For
example, if the Users tab indicates that authentication is applied to three groups, a
user only needs to belong to one of the groups in order for the rule to be applicable.
On the Users tab, Forefront TMG allows you to specify users, groups, and security
principals to be authenticated on a rule. However, if you specify a computer account on
the Users tab, only applications running under the Local System or Network Service
account on the specified computer will be authenticated, when the specified computer
authenticates to a domain controller using Kerberos. This can occur when the Web
proxy listener of Forefront TMG is enabled for Windows Integrated authentication, and
the client supports Kerberos authentication (for example Windows Update).
1. Create an access rule from the VPN Quarantine Clients network to the
destination network. The VPN Quarantine Clients network will include the home
computer. Specify a more limited access policy in this rule, and optionally, add
a user account. The VPN Quarantine network must be enabled, and ensure that
the disconnection time is not specified (this is the default setting).
2. Create an access rule from the VPN Clients network to the destination network.
The VPN Clients network will include the corporate laptop. Specify a more
permissive policy on this rule, and add user accounts as required.
For this solution to work, you must include the Quarantine solution on each of the
corporate computers.
LDAP authentication in Forefront TMG
Issue: LDAP authentication is not supported for access rules.
Solution: No workaround.