P. 1
Forefront TMG Operations

Forefront TMG Operations

|Views: 3,087|Likes:
Published by legion347

More info:

Published by: legion347 on Sep 20, 2010
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as DOCX, PDF, TXT or read online from Scribd
See more
See less

12/20/2012

pdf

text

original

Sections

  • Setting up access to the Internet and corporate resources
  • Configuring firewall policy
  • Creating a firewall policy
  • Working with access rules
  • Working with publishing rules
  • Creating an access rule
  • Firewall policy best practices
  • General Policy Guidelines
  • Simple Rule Elements
  • Complex Rule Elements
  • Rules Using Application Filters
  • General Rule Order Recommendations
  • Specific Best Practices
  • User Sets and Unauthenticated Users
  • Use IP Addresses
  • Use Fully Qualified Domain Names for URL Sets and Domain Name Sets
  • User Authentication and Performance
  • Firewall Clients and User Sets
  • Protocol Definitions
  • Rules by MIME Type
  • Access Rules and Network Rules
  • Deny Access Rule on All Protocols with Source Port Restriction
  • Secure the Remote Management Computers Computer Set
  • Network for Infected Computers
  • Access Rule for Windows Update
  • Name Evaluation
  • Configuring VoIP
  • Configuring access for VoIP
  • Configuring advanced VoIP settings
  • Configuring Web access
  • Enabling access to the Internet
  • Caching Web site content
  • Configuring VPN access
  • Configuring site-to-site VPN access
  • Configuring remote client VPN access
  • Configuring publishing
  • Configuring Web publishing
  • Configuring publishing of other protocols
  • Protecting your networks
  • Administering Forefront TMG
  • Monitoring Forefront TMG
  • Monitoring activity from the dashboard
  • Configuring alerts
  • Configuring Forefront TMG logs
  • Configuring Forefront TMG reports
  • Report types and categories
  • Reporting mechanism
  • Managing URL filtering
  • Introduction to managing URL filtering
  • Looking up a URL category
  • Overriding URL categorization
  • Backing up and restoring the Forefront TMG configuration
  • Backing up and restoring the enterprise configuration
  • Backing up and restoring the array configuration
  • Backing up and restoring specific policies and settings
  • Selected
  • Export Selected
  • to Selected
  • Backing up and restoring using VSS Writer
  • Forefront TMG Troubleshooting
  • Tracking configuration changes
  • Simulating network traffic
  • Network Rule
  • Network
  • Rule
  • Application
  • Logging tab
  • Using diagnostic logging
  • Troubleshooting the installation
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RAT\Stingray\Debug\S
  • Right-click IGNORE_WINDOWS_FIREWALL_GPO_ENFORCEMENT, select
  • Troubleshooting Web access protection
  • Unsupported Configurations
  • Installation issues
  • Forefront TMG is not supported on a 32-bit operating system
  • Forefront TMG is not supported on Windows Server 2003
  • Forefront TMG is not supported on all editions of Windows Server 2008
  • Windows Server 2008
  • Core
  • Web
  • Enterpris
  • Datacent
  • Forefront
  • TMG
  • Installing EMS on a Forefront TMG computer is not supported
  • In-place upgrade from ISA Server 2004/2006 to Forefront TMG is not
  • In-place upgrade from Windows Server 2008 SP2 to Windows Server 2008 R2
  • Forefront TMG installed on a domain controller is not supported
  • Forefront TMG Client is not supported on Windows 2000
  • Firewall
  • Windows
  • Windows Vista Yes Yes No No
  • Forefront TMG does not support Firewall Client 2000
  • ISA Server
  • Forefront TMG
  • Firewall Client
  • Workgroup deployment limitations
  • Multiple firewall products
  • Array issues
  • An array of Forefront TMG servers with different operating systems is not
  • Forefront TMG and ISA Server cannot coexist in the same enterprise or array
  • Forefront TMG does not support firewall chaining
  • ISP Redundancy issues
  • ISP redundancy does not support more than two external interfaces
  • Forefront TMG does not support more than two default gateways
  • Multiple DHCP default gateways are not supported
  • ISP redundancy does not support e-mail protection
  • Protocol-based load balancing is not supported with the ISP redundancy
  • Network and Routing issues
  • Forefront TMG does not support defining separate network objects that
  • Configuring intradomain communications with a NAT relationship
  • Internationalized Domain Names are not supported
  • Domain names that include wildcard characters are not supported with link
  • Configuring Forefront TMG with a single network adapter
  • Protocol based enhanced NAT is not supported
  • Forefront TMG overwrites Routing and Remote Access settings
  • Dial-up limitations for non-VPN connections
  • Load balancing issues
  • NLB is not supported in Forefront TMG Standard Edition
  • Load balancing is not supported with Forefront TMG Clients or ISA Firewall
  • Clients
  • VPN issues
  • DHCP address allocation for VPN remote clients not supported in a Forefront
  • TMG array
  • IP filters configured on Network Policy Server not supported
  • VPN User mapping issues
  • Outbound L2TP connections are not supported by Forefront TMG configured as
  • an L2TP/IPsec VPN server
  • Publishing issues
  • Customization of HTML form pages for additional functionality is not
  • Active-Directory-based Web proxy detection is not supported by ISA Firewall
  • Port numbers appended to host headers
  • Multiple server certificates not supported for a single SSL listener
  • Protocol and Application issues
  • RPC over HTTP traffic inspection limitations
  • Live Communications Server not supported on the Forefront TMG computer
  • Forefront TMG does not support SIP traffic from an OCS server
  • Forefront TMG does not support CNG certificates
  • HTTPS Inspection limitations
  • Forefront TMG malware inspection does not support range requests
  • Secure FTP support
  • FTP limitations for Web Proxy clients
  • Forefront TMG does not support routing Protocols
  • Colocating Remote Installation Services with Forefront TMG
  • Forefront TMG support in a virtual environment
  • Forefront TMG does not support IPv6 traffic
  • WCCP, ICP and ICAP protocols are not supported in Forefront TMG
  • Authentication issues
  • NTLM authentication issues in a chained Web proxy scenario
  • Kerberos authentication issues in a chained Web proxy scenario
  • Issues with clients authenticating on both downstream and upstream servers
  • Web Proxy SSL connections are only supported for chained proxy connections
  • Forefront TMG access rules cannot authenticate based on a computer account
  • LDAP authentication in Forefront TMG

Forefront TMG Operations

Updated: February 1, 2010 Applies To: Forefront Threat Management Gateway (TMG) The Forefront TMG Operations guide provides information to help you configure Forefront TMG business scenarios, and manage and maintain your Forefront TMG servers. The guide includes the following topics: y Setting up access to the Internet and corporate resources²Provides instructions on how to set up access to the Web for internal users, access for remote users and sites to the Internal network via virtual private networking, and access for internal and external users to corporate resources, such as SharePoint and Outlook Web Access. y Protecting your networks²Provides instructions on how to protect the computers and servers in your extended network. y Administering Forefront TMG²Provides instructions on how to monitor, back up and perform other administrative tasks for Forefront TMG. http://technet.microsoft.com/en-us/library/cc441590.aspx Setting up access to the Internet and corporate resources Updated: February 1, 2010 Applies To: Forefront Threat Management Gateway (TMG) One of the primary business scenarios for Forefront TMG is enabling secure access to the Web and to internal corporate resources. The following topics provide information that can help you configure different types of access in Forefront TMG: y Configuring firewall policy²Provides information about creating access rules and recommendations regarding rule order. y Configuring Web access²Provides information about creating a Web access policy for users and clients connected to the corporate network. y Configuring VPN access²Provides information about configuring site-to-site and remote client virtual private network (VPN) access. y Configuring publishing²Provides information about configuring access to corporate resources such as SharePoint and Exchange. Configuring firewall policy Updated: February 1, 2010 Applies To: Forefront Threat Management Gateway (TMG)

The following topics provide information about configuring a firewall policy in Forefront TMG: y y y Creating a firewall policy²Provides an overview of creating a firewall policy. Creating an access rule²Describes the basic steps of creating an access rule. Firewall policy configuration recommendations²Contains guidelines for optimizing your firewall policy. y Configuring VoIP²Describes how to create access rules allowing voice over IP (VoIP) traffic. Creating a firewall policy Updated: February 1, 2010 Applies To: Forefront Threat Management Gateway (TMG) Using Forefront TMG, you can create a firewall policy, which includes a set of access rules and publishing rules. These rules, together with network rules, determine how clients access resources across networks. For an overview of access rules, see Planning to control network access. For an overview of publishing rules, see Planning for publishing. Working with access rules Access rules control access from one network to another. One of the primary functions of Forefront TMG is to connect between source and destination networks while protecting from malicious access. To facilitate this connectivity, you use Forefront TMG to create an access policy that permits clients on the source network to access specific computers on the destination network. The access policy determines how clients access other networks. For information about creating access rules, see Creating an access rule. For information about creating outbound Web access rules, that is, access from a client computer to the Internet, see Configuring Web access. Working with publishing rules Publishing rules control inbound access to published servers. Forefront TMG can make servers securely accessible to clients on another network. You use Forefront TMG to create a publishing policy to securely publish servers. The publishing policy (which consists of Web publishing rules, server publishing rules, secure Web publishing rules, and mail server publishing rules) and the Web chaining rules determine how published servers are accessed. You can use one of the following Forefront TMG rules to publish servers: y Web publishing rules²To publish Web server content.

y y y

Server publishing rules²To publish any other content. Secure Web publishing servers²To publish Secure Sockets Layer (SSL) content. Exchange mail publishing rules²To publish Web client mail access on an Exchange server or server farm.

When Forefront TMG processes an HTTP or HTTPS request from a client, it checks publishing rules and Web chaining rules to determine whether the request is allowed, and which server will service the request. For non-HTTP requests, Forefront TMG checks the network rules and then checks the publishing rules to determine if the request is allowed. For information about creating Web publishing rules, see Configuring Web publishing. For information about creating server publishing rules, see Configuring publishing of other protocols. Creating an access rule Updated: February 1, 2010 Applies To: Forefront Threat Management Gateway (TMG) This topic describes how to create access rules using the New Access Rule wizard. To create an access rule using the New Access Rule wizard 1. In the Forefront TMG Management console, in the tree, click the Firewall Policy node, and in the Tasks pane, click Create Access Rule. 2. Follow the instructions to complete the New Access Rule Wizard: y On the Rule Action page, specify whether the rule should allow or deny access. y On the Protocols page, to select the FTP, HTTP, or HTTPS protocols, leave the default setting Selected Protocols, and then click Add. In the Add Protocols dialog box, click to expand Web, and then select FTP, HTTP, or HTTPS. Do not select the protocols ending in "Server". These are used for non-Web server publishing rules, and not for outbound access. y On the Malware Inspection page, select whether to enable malware inspection for the rule. To enable this setting, malware inspection must be enabled globally. For more information, see Enabling malware inspection.

subnets. Simple Rule Elements The following rule elements require simple networking information and therefore are evaluated quickly: y y y Protocol definitions Schedules All IP address based network elements (computers. click Add. if a request matches a rule that is high in the order. computer sets. For Web access. y On the Access Rule Destinations page. networks. source port information is evaluated quickly. select the network objects from which requests will be received. select the External network (the Internet). This way. select where to send the received requests. Forefront TMG does not have to compare the request to rules that might take longer to process. Firewall policy best practices [This topic is pre-release documentation and is subject to change in future releases. select whether requests for the rule must be authenticated.] These best practices will help you create a firewall policy that results in the policy behaviors you want and provide security benefits. and then select either the predefined user sets or create a custom user set. General Policy Guidelines The performance of Forefront TMG is related to the type of information it requires to evaluate the rules. . leave the default All Users setting. Rules that use these elements should be placed at the top of the rule list. Blank topics are included as placeholders. Because rules are evaluated in order. and network sets) Also. you want to place the rules that can be processed quickly near the top of the rule list if this does not interfere with the behavior of the firewall policy you have designed. and they can help you boost the performance of your Forefront TMG deployment. To specify that the rule will only apply to a particular group of users. y On the Users page.y On the Access Rule Sources page. For anonymous access.

Global allow rules. HTTP filter. or FTP filter slow performance. Rules that allow specific access to all users. Publishing rules should also occur at this point in the rule order. Rules that deny specific access to all users. Other allow rules. URLs. 4. Rules for specific users. These rules should use the rule elements that require simple networking information. General Rule Order Recommendations We recommend that you organize your access rules in this order: 1. Rules for specific computers. Rules that handle traffic that does not match rules that occur previously in the list of rules. An example of this would be a rule allowing access on the DNS protocol from the Internal network to the External network. 2. and also publishing rules. a rule allowing UNIX computers access to the Internet. and MIME types.Complex Rule Elements The following rule elements require additional networking information and therefore are evaluated more slowly: y y y Domain name sets and URL sets Users (other than the built-in "All Users" user set) Content type Rules that contain such elements should be placed at the bottom of the rule list. . a rule allowing all traffic from the Internal network to the Internet. assuming the traffic is allowed by your corporate policy. Rules Using Application Filters Rules that use the SMTP filter. Rules that contain rule elements that require additional networking information and that enforce policy for specific users. Global deny rules. for example. These rules should use the rule elements that require simple networking information. An example of such a rule would be a rule that denies all users access from anywhere to anywhere on protocols used for peer-to-peer file sharing. Rules that allow or deny access for specific computers. 5. or for specific URLs or Multipurpose Internet Mail Extensions (MIME) types. 3. For example.

Authenticated users include Firewall clients. and authenticated Web clients. This improves the efficiency of the rule. you will not achieve the desired behavior by using IP addresses. if you are trying to deny access to a site and the site¶s IP address is assigned dynamically. virtual private network (VPN) clients. Specific Best Practices The following best practices should be considered when creating firewall policy. there is no need to try to resolve the FQDN to an IP address. This reduces the reliance of Forefront TMG on the DNS servers. or if the site has more than one IP address. use IP addresses rather than DNS names in your firewall policies. However. so that if there is a match. see Name Evaluation in this document. User Sets and Unauthenticated Users Place rules that are based on user sets lower in the rule order. For examples of how Forefront TMG evaluates URLs and IP addresses in HTTP requests. Note that you have to create separate rule elements for the IP addresses and for the FQDNs. you should use the fully qualified domain name (FQDN) to block the site. be aware that in some situations. you can use both IP addresses and FQDNs in a rule. blocking an IP address does not block the site reliably. For examples of how Forefront TMG evaluates names and IP addresses in HTTP requests. For extra reliability. see Name Evaluation in this document. This may have the unintended effect of an allow rule functioning as a deny rule for unauthenticated users.Note: Server publishing and Web publishing rules can be placed anywhere in the rule order after global allow or deny rules. you preclude further processing of traffic coming from unauthenticated users who otherwise match the rule definition. In this case. If you put these rules high in the rule order. Use IP Addresses Where possible. to preclude the bypassing by unauthenticated users of the rules based on user sets. Use Fully Qualified Domain Names for URL Sets and Domain Name Sets Use fully qualified domain names (FQDN) in domain name sets and URL sets. Forefront TMG drops traffic from unauthenticated users after rules based on user sets. the Forefront TMG rule engine first evaluates the request using the IP addresses. When you use IP addresses and FQDNs in a single rule. For example. . and this results in better performance. Note: Forefront TMG can only try to match authenticated users against rules that require client membership in a user set.

For example. a rule that includes any protocol other than HTTP and refers to MIME types is effectively disabled for those protocols. Protocol Definitions Do not create protocol definitions that duplicate or overlap existing protocol definitions. . This can lead to unexpected behavior. Firewall Clients and User Sets If the firewall policy includes a rule that refers to a user set (other than the default All Users). it must rely on connectivity to and speed of the authenticating server. but not for Web publishing rules. Because source ports are not checked for secondary connections. the Firewall client always tries to authenticate and will fail if in a workgroup or in an untrusted domain. Deny Access Rule on All Protocols with Source Port Restriction Do not create a deny access rule on all protocols that includes a source port restriction. Because MIME types are not applicable to other types of traffic. This is also true for server publishing rules. The firewall client will not be able to establish a connection with the Forefront TMG computer. so that only traffic that is not matched by an earlier rule will encounter the authenticating rule. and no traffic will be allowed.User Authentication and Performance When a rule requires user authentication. such as the domain controller or Remote Authentication Dial-In User Service (RADIUS) server. and you may find that the traffic you meant to deny on that protocol is actually allowed because there is a similar protocol defined. Access Rules and Network Rules An access policy that defines access between two networks will not allow access unless there is also a network rule defining the relationship between those two networks. The authentication process can affect the performance of Forefront TMG. We therefore recommend that rules requiring authentication be placed near the bottom of the list of rules (assuming that this conforms to your policy design). Note: You can use Forefront TMG connectivity verifiers to monitor connectivity with various servers. Rules by MIME Type MIME types should be used as a criterion only in rules that apply solely to HTTP traffic. Connectivity verifiers are described in Forefront TMG Help. We recommend that you check the list of existing protocols carefully before you define additional protocols. you may create a rule that allows all traffic except for a specific protocol. all protocols will then be blocked on secondary connections (if the rule allowing the secondary connection is lower in the rule order than the deny access rule with the source port restriction).

Network for Infected Computers Create a network to contain computers that are infected. the following elements could match an access rule: y Name: www. to the computer set. such as the Internal network. For example. This topic provides examples of how Forefront TMG handles these requests. so this approach should be used carefully. This helps protect the firewall from worms that affect those networks. it must precede Web access rules that require authentication. depending on which element was used in the rule. because this will also block access to Windows Update. Any one of those elements could be a match to the rule.Secure the Remote Management Computers Computer Set Restrict membership in the Remote Management Computers computer set to computers that require remote administration access. Note that each computer that you move into this network creates a gap in the address range of the Internal network. so that it will not have any access. and the IP addresses associated with that name.com. and computers should be returned to their original network as quickly as possible. Access Rule for Windows Update To enable access to the Windows Update servers. such as http://www. In the example of www. after you click Authentication. In particular. aliases. you should not select Require all users to authenticate. When a computer is infected. the aliases. move it into that network.fabrikam. on the Web proxy tab for the user network. an FQDN.com . the FQDN. do not add entire networks.fabrikam. This rule should be placed high in the ordered list of firewall policy rules. and the IP addresses to compare to the access rule requirements. Do not create any network rules for the network.fabrikam. create an access rule allowing access for users to the Microsoft Update Domain Name Set.com. Name Evaluation When a client makes an HTTP request. Forefront TMG recognizes the name in the request and performs a forward name resolution to a DNS server to get the FQDN. which may block some users from obtaining updates from Windows Update. it may be a name. The result is that Forefront TMG has available the site name. Fragmented networks have a negative performance impact on Forefront TMG Network Load Balancing (NLB). or an IP address. Note: In this scenario. thus fragmenting it. If an HTTP request uses a site name.

46. if Forefront TMG encounters a rule that requires a name. such as local area network (LAN) and wide area network (WAN). you can configure policy rules which enable SIP and RTP traffic to pass through Forefront TMG. Configuring VoIP Updated: February 1. During this process. . Forefront TMG first checks the rules to see if a rule matches that IP address. If the reverse name resolution fails. VoIP is carried out using User Datagram Protocol (UDP).250. which is based on two other protocols: Session Initiation Protocol (SIP) for call establishment and termination.y y FQDN: fabrikam.com IP addresses: 207. When Forefront TMG is deployed at the edge or within your organization. and Real Time Protocol (RTP) for media (audio and video). or between two traditional telephone users.46. The IP PBX transfers voice over data networks. 2010 Applies To: Forefront Threat Management Gateway (TMG) Using Forefront TMG. only the original IP address in the request is used in comparison to the rule definitions.108 If an HTTP request uses an IP address. Configuring advanced VoIP settings²How to configure VoIP settings which allow clients on the Internal network to receive and send calls through the Internet Protocol Private Branch Exchange (IP PBX) system. it performs reverse name resolution to obtain the FQDN for that IP address. Note: In the case of a SecureNAT client requesting a site by name. Forefront TMG can then compare the FQDN to the access rule definitions. the process continues as it would for a Web Proxy client.130. If this verification succeeds. 207. Configuring access for VoIP Updated: February 1.119. An Internet Protocol Private Branch Exchange (IP PBX) telephone system switches calls between VoIP users. and can also switch calls between a VoIP user and a traditional telephone user. you can configure policy rules that allow Voice over IP (VoIP) traffic through Forefront TMG. Forefront TMG first verifies that the host header content is not masking an unrelated IP address requested by the client. 2010 Applies To: Forefront Threat Management Gateway (TMG) The following topics provide information on: Configuring access for VoIP²How to create access rules which allow Voice over IP (VoIP) over Forefront TMG.

and specify the network addresses of the phones that will be used for SIP traffic. y Allow RTP traffic between phones²Enables media traffic between the internal phones. click the Firewall Policy node. 4. In the Tasks tab. 5. This VoIP configuration adds the following rules: y Allow SIP traffic between phones and IP PBX²Enables SIP traffic from the internal phones to reach the external PBX. Configuring an internal IP PBX connected to the PSTN Use this configuration when you use an internal IP PBX and the PSTN for external calls. y Allow RTP traffic to External network²Enables media traffic from the internal phones to reach the external network. The rules specify the source and destination by which the specified traffic is allowed. Follow the steps in the wizard to specify the location of the external IP PBX (your ITSP will typically provide you with a DNS name). This VoIP configuration adds the following rules: .The following procedures describe: y y y y Configuring an external (hosted) IP PBX Configuring an internal IP PBX connected to the PSTN Configuring an internal IP PBX with a SIP trunk Configuring an internal IP PBX with an external (hosted) IP PBX Configuring an external (hosted) IP PBX Use this configuration when you use an external or hosted IP PBX system provided by an Internet Telephony Service Provider (ITSP). On the Forefront TMG server. The completion page details the Forefront TMG policy rules that will be created. click Configure VoIP. In this case. In the SIP Configuration Wizard. 3. select IP phones are connected to an External (Hosted) IP PBX. you need an SIP gateway that converts calls between the IP network and PSTN. 2. To configure a hosted IP PBX 1.

the IP address of the internal PBX. and specify the network addresses of the internal IP phones. In the SIP Configuration Wizard. y Allow RTP traffic to phones²Enables media (RTP) traffic from the IP PBX to reach the IP phones. . y Allow RTP traffic to External network²Enables media (RTP) traffic from the internal phones and IP PBX to reach the external network. the internal SIP Proxy. In the Tasks tab. 3. On the Forefront TMG server.y Allow RTP traffic to SIP gateway²Enables media (RTP) traffic from the internal phones and IP PBX to reach the SIP gateway. 4. y Allow RTP traffic to Phones²Enables media (RTP) traffic from the IP PBX and SIP gateway to reach the IP phones. click Configure VoIP. and SIP gateway. Configuring an internal IP PBX with a SIP trunk Use this configuration when you use an internal IP PBX and a SIP trunk between your IP PBX and the ITSP for external calls. The rules specify the source and destination by which the specified traffic is allowed. 2. that is. To configure an internal IP PBX connected to the PSTN 1. This VoIP configuration adds the following rules: y Allow RTP traffic to internal IP PBX²Enables media (RTP) traffic from the internal phones to reach the IP PBX. 6. IP PBX. The completion page details the Forefront TMG policy rules that will be created. Follow the steps in the wizard to specify the location of the SIP gateway. y Allow SIP traffic SIP IP PBX and internal SIP components²Enables SIP traffic between the IP phones. click the Firewall Policy node. y Allow RTP to internal IP PBX²Enables media (RTP) traffic from the internal phones and SIP gateway to reach the IP PBX. select IP phones are connected to an Internal IP PBX. 5. Select The internal PBX is not connected to an external service provider and The internal PBX is connected to a PSTN via SIP.

the location of the external IP PBX (your ITSP will typically provide you with a DNS name). that is. y Allow RTP traffic to phones²Enables media (RTP) traffic from the IP PBX to reach the IP phones. Configuring an internal IP PBX with an external (hosted) IP PBX Use this configuration when you use an internal IP PBX and a hosted PBX. y Allow SIP traffic between internal IP PBX and external IP PBX²Enables SIP from the internal IP PBX to reach the external IP PBX. y Publish internal IP PBX to the External network²Allows traffic from the external IP PBX to reach the internal IP PBX. click the Firewall Policy node. On the Forefront TMG server. To configure an internal IP PBX with a SIP trunk 1. y Allow SIP between internal SIP components²Enables SIP between the IP phones and the IP PBX. select IP phones are connected to an Internal IP PBX. 3.y Allow SIP traffic between internal IP PBX and external IP PBX ²Enables SIP from the internal IP PBX to reach the external IP PBX. the internal SIP Proxy. This VoIP configuration adds the following rules: y Allow RTP traffic to internal IP PBX²Enables media (RTP) traffic from the internal phones to reach the IP PBX. y Allow RTP traffic to External network²Enables media (RTP) traffic from the internal phones and IP PBX to reach the external network. . Select The internal PBX is serviced by SIP trunk service. click Configure VoIP. In the Tasks tab. The completion page details the Forefront TMG policy rules that will be created. and specify the network addresses of the internal IP phones. The rules specify the source and destination by which the specified traffic is allowed. 5. Follow the steps in the wizard to specify the IP address of the internal PBX. In the SIP Configuration Wizard. 4. 2. 6.

In the Number of registration ports for SIP in addition to default port. In the External registration IP address dialog box. On the Tasks tab. 2. the Forefront TMG external IP address is used. 2. enter the number of times the same client can register with the external IP PBX. The completion page details the Forefront TMG policy rules that will be created.0. Select The internal PBX is serviced by external (hosted) service. 4. On the Forefront TMG server. click Firewall Policy. click the Firewall Policy node. enter a network IP address dedicated to the IP PBX system. select IP phones are connected to an Internal IP PBX. 4. Configuring advanced VoIP settings Updated: February 1. 5. 3. and specify the network addresses of the internal IP phones. in the tree. To configure VoIP settings 1. click Configure VoIP Settings. Follow the steps in the wizard to specify the IP address of the internal PBX. click Configure VoIP. 3. 5. 6.y Allow SIP traffic between the SIP IP PBX and internal SIP components²Enables SIP between the internal SIP components and the SIP IP PBX. If you use 0.0. In the Tasks tab. In the Forefront TMG Management console. In the SIP Configuration Wizard. The rules specify the source and destination by which the specified traffic is allowed. Select the Enable internal SIP clients to register externally to enable clients on the internal network to receive incoming calls from the IP PBX. . 2010 Applies To: Forefront Threat Management Gateway (TMG) VoIP settings allow clients on the Internal network to receive and send calls through the IP PBX system. To configure an internal IP PBX with an external (hosted) IP PBX 1. the location of the external IP PBX (your ITSP will typically provide you with a DNS name). The following procedures describe how to enable and configure VoIP settings and SIP quotas.0.

enter the number of internal clients that are allowed to register with the external IP PBX. 4. enter the number of simultaneous calls allowed from the internal clients to the external IP PBX via a specific Internal IP address. In Max number of registrations for specific IP address. click Firewall Policy. In Max number of calls for specific IP address. When creating a Web access policy for your organization. On the Tasks tab. enter the number of internal clients that are allowed to register with the external IP PBX via a specific IP address. In Global max number of registrations on the filter. In the Forefront TMG Management console. 2010 Applies To: Forefront Threat Management Gateway (TMG) In Forefront TMG. Click Configure SIP Quotas. 5. In Global max number of calls on the filter. 6. y Caching Web site content² Describes how to set up caching of frequently downloaded content in order to improve the speed of Web access and improve network performance. it is recommended that you do the following: . 3. in the tree. Enabling access to the Internet Updated: February 1.To configure SIP quotas 1. you enable access to the Web by creating access rules. enter the number of simultaneous calls allowed from internal clients to the external IP PBX. Configuring Web access Updated: February 1. 2010 Applies To: Forefront Threat Management Gateway (TMG) The following topics provide information about configuring Web access in Forefront TMG: y Enabling access to the Internet²Describes how to create and configure Web access policy rules. click Configure VoIP Settings. 2. 7.

After completing the Web Access Policy wizard. Use the Web Access Policy wizard to create a basic Web access policy. In this section y y y Enabling caching Configuring cache rules Configuring content download jobs . y Customizing HTML error messages in Forefront TMG²Describes how to customize the error messages that Web browser clients sometimes receive as a result of a Web request. you can force users to authenticate before granting them access to the Web. Caching Web site content Updated: February 1. except for those Web destinations that you select. control the times when they can access the Web. you can fine-tune the Web access policy by editing the properties of the Web access rules. The following topics describe how to enable and configure Web access in your organization: y Creating a basic Web access policy²Describes how to create a simple Web access policy. 2010 Applies To: Forefront Threat Management Gateway (TMG) Forefront TMG implements a cache feature that improves the performance and response times for Web requests. and create content download jobs to specify how content should be collected. Among other things. The topics in this section describe how to enable and configure caching. You can also designate users or user sets to whom these blocks do not apply. The wizard also allows you to enable protection technologies for Web-based threats. This basic policy provides anonymous access for internal users to all Web destinations. 2. set up different access rules for different users. y Configuring Web access rule options²Describes how to differentiate the Web access policy for different users and computers. and what file types they can download. create rules that specify which content should be cached. thus providing faster access and reduced traffic on the Internet connection. You can use predefined URL categories to filter out the types of Web destinations you do not want your users to access. Forward caching provides cached Web objects to internal users who make requests to the Internet.1.

while enabling clients on the corporate network to access resources on the remote site. 2010 Applies To: Forefront Threat Management Gateway (TMG) Forefront TMG provides virtual private network (VPN) access to the internal corporate network. y Configuring remote client VPN access²Describes how to allow users who work remotely to connect to the corporate network over the Internet with high security. you can allow clients on remote networks to connect to resources on your corporate network by establishing a site-to-site virtual private network (VPN).com/en-us/library/dd897034. . y Creating a VPN remote site connection²Provides step by step instructions for creating a remote site connection using the Create VPN Site-to-Site Connection wizard. http://technet.Configuring VPN access Updated: February 1.aspx Configuring site-to-site VPN access Updated: February 1. y Configuring addresses for NLB-enabled remote sites²Describes the special considerations when working with remote sites that use Network Load Balancing. The following topics describe how to configure a site-to-site VPN connection: y Creating a user account to authenticate the remote site²Describes how to create a user account so that the remote site can authenticate to the VPN gateway. 2010 Applies To: Forefront Threat Management Gateway (TMG) Using Forefront TMG. The following topics provide information about configuring VPN access in Forefront TMG: y Configuring site-to-site VPN access²Describes how to create a VPN connection to a remote network. This enables clients on the remote network to access resources on the corporate network with high security.microsoft. for clients on remote networks and roaming clients who connect over the Internet. y Testing the configuration (site-to-site)²Describes how to test site-to-site connectivity by trying to access a computer on the remote network.

y Configuring EAP authentication²Describes how to complete the configuration of Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol (L2TP) networks. Configuring remote client VPN access Updated: February 1.microsoft.aspx Configuring Web publishing Updated: February 1. 2010 Applies To: Forefront Threat Management Gateway (TMG) The following topics provide information about configuring publishing in Forefront TMG: y y Configuring Web publishing Configuring publishing of other protocols http://technet.com/en-us/library/bb838876. see Planning for virtual private networks. 2010 . For information about planning your VPN deployment. y Terminating inactive VPN connections automatically²Describes how to configure Forefront TMG to terminate inactive connections on PPTP and L2TP VPN networks.com/en-us/library/dd441032. The following topics provide information about configuring remote client access via a VPN in Forefront TMG: y y y y y y Defining remote VPN clients Enabling basic remote client access Configuring remote client access with enhanced security Installing the remote access quarantine tool Configuring RQS and RQC based quarantine control Enforcing VPN client health requirements using NAP http://technet.microsoft.aspx Configuring publishing Updated: February 1. 2010 Applies To: Forefront Threat Management Gateway (TMG) Enabling remote access via a virtual private network (VPN) allows users who work remotely to connect to an organization's private network over the Internet. using Extensible Authentication Protocol (EAP).

you can publish Web servers over secure or unsecured connections. The following topics describe how to configure different types of Web publishing: y y y y y y y y y y y Configuring Web publishing: Overview Publishing Web servers over HTTP Publishing Web servers over HTTPS Configuring Outlook Web Access publishing Configuring Outlook Mobile Access publishing Configuring ActiveSync publishing Configuring SharePoint publishing Configuring Web publishing rules Customizing HTML forms Configuring bandwidth prioritization Configuring HTTP compression http://technet.aspx Configuring publishing of other protocols Updated: February 1.Applies To: Forefront Threat Management Gateway (TMG) Using Forefront TMG. The following topics describe how to create server publishing rules: y y Creating and using a server protocol Configuring FTP server publishing . A server publishing rule maps a port number and one or more IP addresses on which the Forefront TMG computer listens for client requests to a port number and IP address on the published server. Forefront TMG uses server publishing rules to forward incoming client requests for nonHTTP servers located in a network protected by Forefront TMG. 2010 Applies To: Forefront Threat Management Gateway (TMG) Using Forefront TMG. you can publish servers running protocols other than HTTP.microsoft.com/en-us/library/cc441546.

viruses and other malware. Configuring protection from known vulnerabilities²Describes how to protect your networks from attempts to exploit known vulnerabilities in operating systems and applications.com/en-us/library/cc441471. The following topics describe how to enable. y Configuring protection from network attacks²Describes how to protect your networks from flood. and other kinds of attacks. 2010 Applies To: Forefront Threat Management Gateway (TMG) Forefront TMG has a number of protection technologies that allow you to protect the computers and servers in your extended network. and keep up-to-date these protections: Note: For more information about these protections. y Configuring protection from Web-based threats²Describes how to protect your organization from malware and other Web-based threats: y Configuring protection from e-mail-based threats²Describes how to protect your SMTP mail servers (and consequently e-mail recipients) from spam.microsoft. 2010 Applies To: Forefront Threat Management Gateway (TMG) This guide provides information about administering Forefront TMG. http://technet.aspx Administering Forefront TMG Updated: February 1. DNS. The following topics explain how to manage day-to-day operations for Forefront TMG: y .com/en-us/library/dd441054. see Protection design guide for Forefront TMG. y Managing definition updates for Forefront TMG²Describes how to configure the update mechanisms for these protections. configure.y y Configuring SQL Server publishing Configuring RDP publishing http://technet.aspx Protecting your networks Updated: February 1.microsoft.

y y y y Monitoring Forefront TMG Managing URL filtering Backing up and restoring the Forefront TMG configuration Forefront TMG Troubleshooting http://technet. y Track activity by monitoring current sessions for Forefront TMG Clients.microsoft. and SecureNAT clients. 2010 Applies To: Forefront Threat Management Gateway (TMG) The following topics provide information that can help you monitor Forefront TMG: y y y y Monitoring activity from the dashboard Configuring alerts Configuring Forefront TMG logs Configuring Forefront TMG reports http://technet. .com/en-us/library/dd897028. see Monitoring client sessions.microsoft. see Monitoring server connectivity. For more information. Web proxy clients. y Check the current state of the system by monitoring alerts that have been issued. You can create connectivity verifiers to check the availability of specific network servers. 2010 Applies To: Forefront Threat Management Gateway (TMG) Forefront TMG monitoring allows you to do the following: y Monitor connectivity to network servers. For instructions. For instructions.com/en-us/library/cc441452. as well as the status of services.aspx Monitoring Forefront TMG Updated: February 1. see Monitoring alerts.aspx Monitoring activity from the dashboard Updated: February 1.

Some events have additional conditions. Enabled by default to log Web Logs traffic handled by the Web proxy . Forefront TMG provides a number of predefined alerts for every type of event defined by Forefront TMG. 2010 Applies To: Forefront Threat Management Gateway (TMG) Forefront TMG events are generated by Forefront TMG services when particular runtime conditions occur. It notifies you when specified events occur by triggering an alert for the event. In this case. Configuring alerts Updated: February 1. y Check the status of Forefront TMG configuration on each array member. For details. see Monitoring performance. and others. Forefront TMG provides a log queue feature to help ensure log availability during peak logging. The following table summarizes the default log settings following installation: Setting Firewall log Details Logs traffic handled by the Firewall service Defaults Enabled by default to log into the SQL Express database on the local computer. a local SQL Server Express database. Check for alerts that indicate failure to log for a variety of reasons.y Monitor traffic status by using performance counters. both the event and the additional condition must occur before the alert is triggered. The following topics provide information that can help you configure alerts: y y Configuring alert definitions Configuring alert actions Configuring Forefront TMG logs Updated: February 1. You should carefully monitor alerts and verify that their activity is always being logged. 2010 Applies To: Forefront Threat Management Gateway (TMG) Forefront TMG provides a number of logging formats. including disk space. The alert service of Forefront TMG acts as a dispatcher and an event filter. Because Forefront TMG is deployed to help secure your network. and a remote SQL Server computer. SQL Server connectivity issues. including logging to a text file. it is critical that logging information is always available and accurate.

This may occur when log entries are generated faster than they can be formatted. Alerts All log-related alerts are enabled by default The following topics provide information that can help you configure and maintain logs and run log queries: y y y y y Enabling logging Configuring logging to a remote SQL server Setting up SQL Server for logging Configuring logging to SQL Server Express Configuring logging to a text file . The alerts service notifies you when specific events occur. By default the log queue is stored in the ISALogs folder of the Forefront TMG installation folder. or there is no connectivity to a remote SQL Server database. By default in the ISALogs folder of the Forefront TMG installation directory Default settings: Total size limit=8GB Free disk size to maintain=512MB Maintenance method: Delete files as necessary Delete files older than=7 days Log folder Location of log files Log limits Management of log file size Log queue The log queue is used to temporarily store log entries when they cannot be formatted.proxy log filter into the SQL Express database on the local computer.

For example. and which sites are being accessed. These ad hoc reports provide an immediate picture of the activity recorded by Forefront TMG over any period you specify. by tracking the number of connections to a published server or the traffic to the server. you might identify an attempt at denial of service. Report types and categories There are two types of reports: y One-time reports. For example. y y y Malware activity. you can create a permanent record of common usage patterns. Network inspection activity. Cache ratio. General traffic patterns. Which protocols and applications are being used most often. you can determine: y y y y y Who is accessing sites. you can generate reports that track malicious attempts to access internal resources. Security monitoring.y y y y y y Configuring the log location Configuring the log queue Selecting log fields Logging requests matching a rule Configuring logging to avoid lockdown Querying the Forefront TMG logs Configuring Forefront TMG reports Updated: February 1. 2010 Applies To: Forefront Threat Management Gateway (TMG) With Forefront TMG reporting. and you can summarize and analyze log information. URL filtering. Similarly. .

however this time is configurable. daily and monthly. and a report that is generated once a month will show exactly a month's activity. Reporting mechanism Forefront TMG reports are based on log summaries derived from the Web Proxy and Firewall logs. Using SQL Server reporting services. weekly. Forefront TMG generates two types of log summaries. Forefront TMG provides predefined report categories and subcategories.y Recurring report jobs. a report that is generated every day will show a day's activity. The time periods available for these reports are more structured than those of one-time reports. These reports can be customized.com/en-us/library/dd897105. Log summaries are generated at night (by default at 12:30am). You can schedule automated reports on a daily. 2010 Applies To: Forefront Threat Management Gateway (TMG) . which all reports are based on. The following topics provide information that can help you configure reports: y y y y Creating reports Viewing reports Customizing reports Changing the report server Managing URL filtering Updated: February 1.microsoft. 2010 Applies To: Forefront Threat Management Gateway (TMG) The following topics provide information about managing URL filtering: y y y Introduction to managing URL filtering Looking up a URL category Overriding URL categorization http://technet. or monthly basis. Note: Reports contain activity from the previous day and earlier.aspx Introduction to managing URL filtering Updated: February 1.

com/training/. On the Category Query tab. In the Forefront TMG Management console. you must check that the URL was categorized properly (see Looking up a URL category). For example. To look up a URL category 1. In such a case. Overriding URL categorization Updated: February 1. In the Tasks pane. copy the URL or IP address to the computer's clipboard.URL filtering allows you to create access rules that allow or block access to Web sites based on their categorization in the URL filtering database. and may include a path. The result of the category is displayed on the tab. and then click Query. If the Web site has been categorized as a blocked URL category or category set. 3. If a user requests access to a Web site and discovers that access to the Web site is blocked. IP address. 4. query string.microsoft.aspx Looking up a URL category Updated: February 1. the user may contact the administrator to dispute the categorization of the Web site. in the tree. http://technet. he receives a denial notification that includes the denied request category. 2. http://www. and click the URL Category Override tab. When a request to access a Web site is received. In some cases. If the Web site was not categorized correctly. click Query for URL Category. then you must create a custom setting for this URL (see Overriding URL categorization). click Web Access Policy. see Overriding URL categorization. 2010 Applies To: Forefront Threat Management Gateway (TMG) The following procedure describes how to query the URL filtering database regarding the categorization of a URL or IP address. Forefront TMG queries the remotely hosted Microsoft Reputation Service to determine the categorization of the Web site. To change a domain's categorization. Forefront TMG blocks the request. type a URL or IP address. escaped characters (such as ³%20´ to represent a space) and a protocol (such as HTTP://). or URL alias.contoso. For more information.com/en-us/library/dd897045. as well as some insight as to the source of the categorization. such as by override. Note: Each URL must include a host name. 2010 Applies To: Forefront Threat Management Gateway (TMG) .

in the tree. The URL Categories Override dialog closes. click Web Access Policy. 2010 Applies To: Forefront Threat Management Gateway (TMG) The following topics describe how to back up and restore Forefront TMG settings. Note: y Each URL must include a host name and a path. To override URL categorization 1. In the Forefront TMG Management console. In the Tasks pane. click Add. and may include a query string and escaped characters (such as ³%20´ to represent a space). . Backing up and restoring the Forefront TMG configuration Updated: February 1. On the URL Category Override tab. y y Do not include a protocol (such as HTTP://) with the URL. Forefront TMG does not support the use of Internationalized Domain Name (IDN) URLs. type a URL pattern in the format www. Under Move URL pattern to this category. 3.The following procedure describes how to specify a new URL category for an IP address or URL. click Configure URL Filtering. 5. select a new URL category. make sure you read the information provided in Planning for backup and restore. 2. Under Override the default URL category for this URL pattern. Click OK.com/*.contoso. for the different configuration options: y y y y Backing up and restoring the enterprise configuration Backing up and restoring the array configuration Backing up and restoring specific policies and settings Backing up and restoring using VSS Writer Before you start the backup or restore process. 4. Click OK again and then on the Apply Changes bar. click Apply. 6.

aspx Backing up and restoring the enterprise configuration Updated: February 1. 2010 Applies To: Forefront Threat Management Gateway (TMG) This topic describes how to back up and restore the enterprise configuration from your Enterprise Management Server (EMS). and are shared by. click the Enterprise node. .http://technet. Note: y It is recommended that you specify a strong password to ensure proper protection of encrypted information. see Planning for backup and restore. all members of the array. you must be a Forefront TMG Enterprise Administrator. such as user passwords and certificates. y The export process does not back up Secure Sockets Layer (SSL) certificates. On the Tasks tab. The password you enter here will be required to import the configuration. To export confidential information. Note: You must be a Forefront TMG Enterprise Administrator or Enterprise Auditor to back up and restore the enterprise configuration.com/en-us/library/bb794815. Enterprise configuration settings are relevant for. select Export confidential information and provide a password. For details. see About backing up SSL certificates. in the tree. Confidential information is encrypted during the export process. 2.microsoft. For information about how to back up SSL certificates. In the Forefront TMG Management console. 3. click Export Enterprise Configuration. To back up and restore enterprise-level confidential information. The following procedures provide instructions on: y y Backing up an enterprise configuration Restoring an enterprise configuration Backing up an enterprise configuration To back up an enterprise configuration 1.

select Import user permission settings. which are relevant for. enter a name for the exported file. If you exported user permissions. On the Tasks tab. 6. in the tree. 2. 3. 4. In the Forefront TMG Management console. select Export user permission settings. specify the folder in which the export file will be saved. specific to each array member. y Server configuration settings. Array configuration includes the following settings: y Array configuration settings. click the Enterprise node. and the file name. 5. In Save this data in this file. To export user permissions. and are shared by. Select Overwrite (restore) to restore configuration settings. Select the file that you saved when you exported the configuration. . In File name.4. click Import Enterprise Configuration. If you exported confidential information. you must be a Forefront TMG Array Administrator. 5. all members of the array. enter the password that you specified when you exported the file. Backing up and restoring the array configuration Updated: February 1. for a singleserver or multiple-server array. 6. 2010 Applies To: Forefront Threat Management Gateway (TMG) This topic describes how to back up and restore an array configuration. The following procedures provide instructions on: y y Backing up an array configuration Restoring an array configuration Note: To back up and restore array-level confidential information. Restoring an enterprise configuration To restore an enterprise configuration 1.

For information about how to back up SSL certificates. On the Tasks tab. specify the folder in which the export file will be saved. 4. 6. The password you enter here will be required to import the configuration. in the tree. On the Tasks tab. In Save this data in this file. 5. For details. click Export (Back up) Array Configuration. 6. If you want to import server-specific settings. In the Forefront TMG Management console. 5. click the array ArrayName. and the file name. Select the file that you saved when you exported the configuration. see Planning for backup and restore. Note: y It is recommended that you specify a strong password to ensure proper protection of encrypted information. If you exported user permissions. y The export process does not back up Secure Sockets Layer (SSL) certificates. . Restoring an array configuration To restore an array configuration 1. such as user passwords and certificates. 4. 2. select Import user permission settings.Backing up an array configuration To back up an array configuration 1. in the tree. In the Forefront TMG Management console. select Import server-specific information. enter a name for the exported file. select Export confidential information and provide a password. see About backing up SSL certificates. To export confidential information. Select Overwrite (restore) to restore the configuration settings. To export user permissions. In File name. click Import (Restore) Array Configuration. Confidential information is encrypted during the export process. 3. select Export user permission settings. click the array ArrayName. 3. 2.

7. If you exported confidential information. enter the password that you specified when you exported the file. right-click the applicable rule. Backing up and restoring specific policies and settings Updated: February 1. right-click the required rule element. To export a single policy rule: y In the details pane. you must be a Forefront TMG Enterprise Administrator. 2. 2010 Applies To: Forefront Threat Management Gateway (TMG) This topic describes how to export specific elements of the Forefront TMG configuration. Exporting a single policy rule or rule elements To export a single policy rule or rule elements 1. To export multiple-rule elements: . y To back up and restore enterprise-level confidential information. y To back up and restore array-level confidential information. and then click Export Selected. namely individual policy rules and rule elements. and then click Export Selected. click Firewall Policy. The following procedures provide instructions on: y y Exporting a single policy rule or rule elements Importing a single policy rule or rule elements Note: y You must be a Forefront TMG Enterprise Administrator or Enterprise Auditor to back up and restore enterprise-level settings. In the Forefront TMG Management console tree. To export a single-rule element: y In the Toolbox pane. you must be a Forefront TMG Array Administrator.

If you want to import server-specific settings. 5. 2010 . Note: It is recommended that you specify a strong password to ensure proper protection of encrypted information. To import a single policy rule: y In the details pane. Backing up and restoring using VSS Writer Updated: February 1. and RADIUS shared secrets.y In the Toolbox pane. right-click the applicable rule. and then click Import All. 4. In the Forefront TMG Management console tree. select Import server-specific information. select Export confidential information and provide a password. In Save this data in this file. click Firewall Policy. certificates. 6. specify the folder in which the export file will be saved. right-click the required rule element. and the file name. and then click Import to Selected. see Planning for backup and restore. Note: You cannot import a file to overwrite the default rule. 4. Select the file that you saved when you exported the configuration settings. such as user passwords. If you exported confidential information. 3. To import a single-rule or a multiple-rule element: y In the Toolbox pane. For details. right-click the required rule elements. enter the password that you specified when you exported the file. Importing a single policy rule or rule element To import a single policy rule or rule element 1. 2. and then click Export All. The password you enter here will be required to import the configuration. Confidential information is encrypted during the export process. To export confidential information. 3.

The writer name string for this writer is "ISA Writer". depending on whether it is standalone or belonging to an array. Forefront TMG Troubleshooting Updated: February 1. y To back up and restore enterprise-level confidential information. you must be a Forefront TMG Enterprise Administrator. The writer ID for the registry writer is 25F33A79-3162-4496-8A7D-CAF8E7328205. Ensure that you back up the required server. Standalone server²Back up the Forefront TMG server. Forefront TMG calls the AD LDS VSS Writer. the configuration is stored in an instance of Active Directory Lightweight Directory Services (AD LDS). you must be a Forefront TMG Array Administrator. 2010 Applies To: Forefront Threat Management Gateway (TMG) The following topics provide guidance for diagnosing and resolving issues you may encounter with Forefront TMG: y y Tracking configuration changes Simulating network traffic . y y Standalone array²Back up the array manager. When you use VSS to back up and restore the Forefront TMG configuration.Applies To: Forefront Threat Management Gateway (TMG) You can back up and restore the Forefront TMG configuration using Volume Shadow Copy Service (VSS). Note: y You must be a Forefront TMG Enterprise Administrator or Enterprise Auditor to back up and restore enterprise-level settings. In Forefront TMG. y To back up and restore array-level confidential information. as follows: y Enterprise array²Back up the Forefront TMG Enterprise Management Server (EMS). VSS is a set of Component Object Model (COM) application programming interfaces (APIs) that provide standardized interfaces. enabling thirdparty backup and restoration software to centrally manage the backup and restore operations on a variety of applications.

When you apply changes at both the array and enterprise level.y y y y Using diagnostic logging Troubleshooting the installation Troubleshooting Web access protection Unsupported Configurations http://technet. When you enable configuration change tracking on the enterprise. You can view the output of configuration change tracking in the Change Tracking tab of the Troubleshooting node. The following information is displayed in the results pane of the Change Tracking tab: y y Time²The date and time of the configuration change. tracking is enabled on all arrays in the enterprise. You can use configuration change tracking as a support tool to determine the cause of an issue that results from a configuration change.aspx Tracking configuration changes Updated: February 1. By default.microsoft. User²The user name of the person who made the configuration change. the most recent first. The following describes: y y y y Viewing configuration change tracking output Configuring the change tracking feature Entering a change description Filtering and searching configuration changes Viewing configuration change tracking output Each configuration change tracking output entry represents a single configuration change.com/en-us/library/dd897100. Enterprise settings override arraylevel settings. and the other showing the change at the array level. or programmatically using scripts. two entries appear in the output. Entries are sorted by date and time. In Forefront TMG Enterprise Edition. in the Forefront TMG Management console. 2010 Applies To: Forefront Threat Management Gateway (TMG) Configuration change tracking enables the registering of all configuration changes that are made either in Forefront TMG Management. one showing the configuration change at the enterprise level. you can configure configuration change tracking at the enterprise level. . change tracking is disabled.

To enable change tracking. select Enable change tracking. Specify a maximum number of entries in the change tracking log. You can expand each entry to display more details.y Change Summary²A system-generated description of the configuration change in Forefront TMG. y Description²The change description that the user entered for the configuration change. To disable the change description prompt. It is . 3. which is selected by default. in the Limit number of entries to box. Note: To configure change tracking at the enterprise level. and then click the Change Tracking tab. 5. click Configure Change Tracking. 4. click Properties. This option. y Array-The name of the array in which the configuration change was made. enter the required number. On the Tasks tab. Configuring the change tracking feature You can configure the following for the change tracking feature: y y y Enable change tracking. and then click the Change Tracking tab from the Enterprise Properties dialog box. 2. clear the Prompt for a change description when applying configuration changes check box. or the name of the enterprise if the change was made on the enterprise level (Enterprise Edition only). click the Troubleshooting node. Require users who make configuration changes in the Forefront TMG Management to specify a description that appears in the configuration change tracking output. In the Forefront TMG Management console. enables users to add an optional change description when making configuration changes in Forefront TMG Management. To enable and configure change tracking 1. To specify a maximum number of entries for the change tracking log.. right-click the enterprise node.

you can create a backup of the existing configuration by exporting the configuration. 3. In the Entry contains box. click Apply. click OK. when you click Apply. Note: You can filter by one or both options. The configuration changes are recorded to the change tracking output. Note: When the maximum number of entries is reached. Entering a change description If configuration change tracking is enabled. the Configuration Change Description prompt appears. When the Saving Configuration Changes status dialog box appears. In the User name contains box. the earliest entries are overwritten. To export the current configuration and a change description 1. To search for an entry 1. For Enterprise Edition. The required configuration change is saved. enter the name of the user who performed the configuration change. You can also use the short key CTRL+F to search for entries. .000. After you make configuration changes in Forefront TMG Management. To open the Export Wizard. enabling you to type a description of the change. and the description is applied to the change. To view the entry in the configuration change tracking output. users who make configuration changes in Forefront TMG Management can enter an optional description for that change. Click Apply. 2. 4. click Export. export backs up the entire enterprise.recommended that you do not configure a limit of more than 10. 2. You can filter the entries by user name and by content. Filtering and searching configuration changes Filter options are accessible at the top of the Change Tracking tab. as this may affect performance. 6. This description appears in the configuration change tracking output. enter a keyword for the search. Before applying the change and change description.

This feature can help troubleshoot communication issues that users may have with the destination server (for example. y Web publishing²Simulates traffic from clients making requests to published Web servers located on corporate networks (requests that are handled by Web publishing rules in ISA Server). The traffic simulator is run per array. The administrator can then check the results to determine how to resolve the issue. Configuring the traffic simulator The following lists the different firewall policy scenarios that can be simulated: y Web access²Simulates traffic handled by an access rule. 2010 Applies To: Forefront Threat Management Gateway (TMG) The traffic simulator simulates network traffic in accordance with specified request parameters. by allowing or denying internal client requests for non-Web resources in other networks.3. y Non-Web access²Simulates traffic handled by access rules. real traffic may be blocked by a filter. the results appear in the Troubleshooting node on the Change Tracking tab. and how to simulate traffic scenarios. you can expand each entry in the output. The following describes how to configure the traffic simulator. Important: The traffic simulator checks rules only on the basis of what is allowed or denied by the firewall engine. Click the Apply Filter button. You select the server within the array on which you want to run the traffic simulator. Simulating network traffic Updated: February 1. or HTTP filtering. To display more details. which means that even if simulated traffic is allowed. The traffic simulator scans all of the published rules correlating with the scenario. and provides information about firewall policy rules that are evaluated for the request. 4. The system executes a search. when a user from the internal corporate network tries to access an Internet Web server but is denied access). by allowing or denying Web access for clients making Web proxy requests. In addition. this feature can verify the functionality of a new policy rule by testing traffic that is handled by the new rule. The traffic simulator is not aware of traffic that is blocked or allowed based on application filter settings. The traffic simulator can be run from a remote management computer. .

Rule Application Filters Simulating traffic scenarios To run the traffic simulation. HTTP). Specifies the name of the network rule used. The following procedures describe how to simulate traffic: y y For Web proxy access to the Internet For non-HTTP access connection . Displays the order number of the rule. Rule ordering numbers are displayed in the details pane of the Firewall Policy node in Forefront TMG Management. You can check any of the setting details in the following list to evaluate the cause of any network issues. Used by the application filter types defined in the published rule. Displays the source network from which the traffic is initiated. From To Network Rule Name Network Relationship Protocol Specifies the network relationship in the policy rule as either network address translation (NAT) or Route. Setting Rule Name Rule Order Description Displays the name of the policy rule used by the request.y Server publishing²Simulates traffic between clients and non-HTTP published servers located on corporate networks (requests that are handled by server publishing rules in Forefront TMG). Specifies the protocol used to establish the connection (for example. The results of the simulation for the configuration properties of the policy rules appear at the bottom of the screen. you must first configure the traffic scenario settings. Displays the destination network to where the traffic is being sent.

enter the network IP address of the source server. Click Start. click the Traffic Simulator tab. click the Traffic Simulator tab. click Web access. To simulate traffic for non-HTTP access connection 1. select the server from which you are running the traffic simulator. In Simulation Scenarios. select the server from which you are running the traffic simulator. 7. 2. type the URL address of the target site. 4. In Simulation Scenarios. in the Troubleshooting node. 4. Click Start. In Server. In Server. If you selected Apply diagnostic logging to simulated traffic. click View Log to view events related to the simulated scenario on the Diagnostic Logging tab. click Non-Web access. in the Troubleshooting node. 3. configure the source request settings. 7. . 9. In the Forefront TMG Management console. If the rule is configured to apply to any domain. 3. 2. you can specify an IP address or a URL. 6. In Destination Parameters. in Namespace. In Source Parameters. For authenticated users.y y To a published Web server To a non-HTTP published server To simulate traffic for Web proxy access to the Internet 1. Click Apply diagnostic logging to simulated traffic to collect diagnostic logging information for the simulation 8. In the IP address box. 6. configure the request settings. In Destination/Source Parameters. select Windows or RADIUS. in the URL box. Select if traffic is to be sent from an anonymous or authenticated user. In the Forefront TMG Management console. 5. Click Apply diagnostic logging to simulated traffic to collect diagnostic logging information for the simulation. 5.

Note: The URL is the one published by Forefront TMG. click View Log to view events related to the simulated scenario on the Diagnostic Logging tab. in the Troubleshooting node. If you selected Apply diagnostic logging to simulated traffic. 4. In Simulation Scenarios.8. click View Log to view events related to the simulated scenario on the Diagnostic Logging tab. click the Traffic Simulator tab. Click Start. To simulate traffic to a non-HTTP published server 1. 5. Click Start. in the URL box. To simulate traffic to a published Web server 1. In Server. 8. In Server. configure the request settings. in the Troubleshooting node. In the Forefront TMG Management console. 5. If you selected Apply diagnostic logging to simulated traffic. 2. In the Forefront TMG Management console. 3. . type the URL address of the target site. Forefront TMG must be able to resolve it to its external IP address. Click Apply diagnostic logging to simulated traffic to collect diagnostic logging information for the simulation 6. click Server Publishing. configure the source request settings. In the Destination/SourceParameters box. click Web publishing. In Destination Parameters. otherwise the simulation fails. you can specify an IP address or a URL. 6. Click Apply diagnostic logging to simulated traffic to collect diagnostic logging information for the simulation 7. The URL is specified on the Public Name tab. select the server from which you are running the traffic simulator. 4. 2. If the rule is configured to apply to any domain. 3. click the Traffic Simulator tab. In Simulation Scenarios. In Source Parameters. select the server from which you are running the traffic simulator.

microsoft. The following topics provide information that can help you view the diagnostic events: y y y Viewing the diagnostic log Filtering the diagnostic log Configuring diagnostic logging http://technet.com/en-us/library/dd897109. Upgrading to Windows Server 2008 R2 . 2010 Applies To: Forefront Threat Management Gateway (TMG) This topic provides guidance for diagnosing and resolving installation issues you may encounter with Forefront TMG when: y y y Upgrading to Windows Server 2008 R2 Installing from a network drive Group Policy enforces Windows Firewall Tip: For the complete flow of troubleshooting Forefront TMG installation problems. Using diagnostic logging Updated: February 1. You can configure and view diagnostic logging on the Diagnostic Logging tab of the Troubleshooting node in Forefront TMG Management. If you selected Apply diagnostic logging to simulated traffic.microsoft. Diagnostic logging enhances traditional log information by tracing the flow of a specific packet. When diagnostic logging is enabled.7.aspx Troubleshooting the installation Updated: February 1. 2010 Applies To: Forefront Threat Management Gateway (TMG) Diagnostic logging tracks the behavior of policy components in Forefront TMG.com/fwlink/?LinkID=182922) at the Microsoft Download Center. download the Troubleshooting Forefront TMG Services SuperFlow (http://go. it automatically logs events for firewall policy access and authentication issues. click View Log to view events related to the simulated scenario on the Diagnostic Logging tab. reporting on packet progress and providing information about traffic handling and rule matching.

Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RAT\Stingray\Debug\S ETUP. Open the Windows Registry using the command regedit. you can direct Setup to ignore this error by adding a flag to the Windows Registry. make sure that the computer automatically reconnects to this drive after system restart. Perform a clean installation (not an upgrade) of the new operating system. 2010 Applies To: Forefront Threat Management Gateway (TMG) The following topics help you determine the cause and resolution of problems you might experience while using Forefront TMG Web access protection: y Troubleshooting URL filtering . 2. the installation will not complete successfully because Setup tries to disable the Windows Firewall. Right-click IGNORE_WINDOWS_FIREWALL_GPO_ENFORCEMENT. Install Forefront TMG. and you want to upgrade the operating system to Windows Server 2008 R2. 3. you must perform a clean installation of Windows Server 2008 R2. Troubleshooting Web access protection Updated: February 1. 3. Tip: It is recommended that you back up the registry before making any changes. select Modify. As a workaround. and change the Value data to 1. The supported upgrade path is: 1. Export the Forefront TMG configuration. Group Policy enforces Windows Firewall When installing Forefront TMG on a computer that is joined to a domain with Group Policy object (GPO) enforcement of Windows Firewall. as follows: 1. Installing from a network drive If you are running the Performance Tool or Setup from a shared drive. 4. 2. These two applications may require or initiate a restart.If you installed Forefront TMG on a computer running Windows Server 2008. Import the Forefront TMG configuration. and failure to locate them after restart may result in a failed installation.

y y Troubleshooting HTTPS inspection Troubleshooting NIS For a description of Forefront TMG Web access protection.aspx Unsupported Configurations Updated: February 1. For each issue.microsoft. 2010 Applies To: Forefront Threat Management Gateway (TMG) This topic summarizes common unsupported configurations and scenarios you may encounter when deploying and maintaining Forefront TMG. This topic is divided into these sections: Installation issues Array issues ISP Redundancy issues Network and routing issues Dial-up issues Load Balancing issues VPN issues Publishing issues Protocol and application issues Authentication issues Installation issues This section describes the following installation issues. see the Forefront TMG secure Web gateway solution guide. and solutions are suggested where applicable. possible causes are described. http://technet. their causes. and solutions: y y y y y Forefront TMG is not supported on a 32-bit operating system Forefront TMG is not supported on Windows Server 2003 Forefront TMG is not supported on all editions of Windows Server 2008 Installing EMS on a Forefront TMG computer is not supported In-place upgrade from ISA Server 2004/2006 to Forefront TMG is not supported .com/en-us/library/ff358613.

Cause: Forefront TMG firewall or EMS role will not install or run on a 32-bit operating system. Only the Forefront TMG Management console can be installed on a 32-bit operating system (Windows Server 2008 R2. Windows 7. . or Windows Vista SP1). Cause: The table below summarizes the editions of Windows Server 2008 that are supported. Forefront TMG is not supported on all editions of Windows Server 2008 Issue: Installing Forefront TMG or Forefront TMG EMS is not supported on all editions of Windows Server 2008. Solution: Install Forefront TMG on a 64-bit version of Windows Server 2008 SP2 or Windows Server 2008 R2. see System requirements for Forefront TMG. Solution: Install Forefront TMG on a 64-bit version of Windows Server 2008 SP2 or Windows Server 2008 R2. see System requirements for Forefront TMG. Windows Server 2008 SP2. For more detailed information on installation requirements. Forefront TMG is not supported on Windows Server 2003 Issue: Installing Forefront TMG or Forefront TMG EMS on Windows Server 2003 is blocked. Cause: Forefront TMG or Forefront TMG EMS will not install or run on Windows Server 2003. For more detailed information on installation requirements.y In-place upgrade from Windows Server 2008 SP2 to Windows Server 2008 R2 is not supported y y y y y Forefront TMG installed on a domain controller is not supported Forefront TMG Client is not supported on Windows 2000 Forefront TMG does not support Firewall Client 2000 Workgroup deployment limitations Multiple firewalls products Forefront TMG is not supported on a 32-bit operating system Issue: Installing Forefront TMG firewall or EMS role on a 32-bit operating system is blocked.

Solution: Perform a migration. Installing EMS on a Forefront TMG computer is not supported Issue: Installing an Enterprise Management Server (EMS) on a computer with Forefront TMG already installed.Windows Server 2008 Core Installati on Forefront TMG Forefront TMG EMS Forefront TMG Manageme nt No Web Editio n No Foundati on Edition No Standar d Edition Yes Enterpris e Edition Datacent er Edition Yes Yes No No Yes Yes Yes Yes No Yes Yes Yes Yes Yes Solution: Install Forefront TMG on a 64-bit version of Windows Server 2008 SP2 or Windows Server 2008 R2 taking the above information into consideration. so in-place upgrade is not possible. Solution: No workaround. Cause: Running both Forefront TMG and an EMS from the same computer is not supported. For more detailed information on installation requirements. see System requirements for Forefront TMG. In-place upgrade from ISA Server 2004/2006 to Forefront TMG is not supported Issue: In-place upgrade from ISA Server 2004/2006 to Forefront TMG is not possible. . Cause: Forefront TMG cannot be installed on the same operating system (Windows Server 2003) on which ISA Server runs. Export the ISA Server configuration settings and certificates. as follows: 1.

Install Forefront TMG. see Forefront TMG . For more information. Warning: Uninstalling Forefront TMG. as follows: 1. and then upgrading to Windows 2008 R2. Solution: Virtualization offers an alternative if both Forefront TMG and a domain controller must be on the same computer. 3. is also not supported. Import the configuration and certificates. See Migrating from ISA Server 2004/2006 to Forefront TMG for more detailed information. Cause: This installation is blocked by the Forefront TMG installer. In-place upgrade from Windows Server 2008 SP2 to Windows Server 2008 R2 is not supported Issue: Upgrading from Windows Server 2008 SP2 to Windows Server 2008 R2 is not supported. Perform a clean installation of Windows 2008 R2. Export the Forefront TMG configuration and certificates. Note: Installing Forefront TMG Management console on a domain controller is supported. 4. 3. Solution: Perform a migration. Forefront TMG installed on a domain controller is not supported Issue: Installing Forefront TMG or Forefront TMG EMS on a computer configured as an Active Directory domain controller is not supported. Import the configuration settings and certificates. 4.2. Perform a clean installation of windows Server 2008 SP2 or Windows Server 2008 R2. Install Forefront TMG. 2. Cause: Forefront TMG does not support upgrading to Windows 2008 R2 while Forefront TMG is installed.

Cause: The following table summarizes the support between Forefront TMG.support in a virtual environment and Security Considerations with Forefront Edge Virtual Deployments (http://go. Cause: The following table summarizes the operating system support for Forefront TMG Client and other Firewall client software.microsoft. Forefront TMG Client Windows 7 Windows Server 2008 Windows Vista Windows Server 2003 SP1 Yes Yes Firewall Client 2006 Yes Yes Firewall Client 2004 No Firewall Client 2000 No No No Yes Yes Yes Yes No No Yes Yes Windows XP Windows 2000 Yes No Yes Yes Yes Yes Yes Yes Solution: Install the Forefront TMG Client software on a supported operating system. Forefront TMG Forefront TMG Client Yes ISA Server 2006 Yes ISA Server 2004 Yes ISA Server 2000 No . ISA Server and their Clients. Forefront TMG does not support Firewall Client 2000 Issue: Forefront TMG does not support Firewall Client 2000.com/fwlink/?LinkId=178740) Forefront TMG Client is not supported on Windows 2000 Issue: Installing Forefront TMG Client is not supported on Windows 2000.

Forefront TMG Clients deployed in a workgroup: Automatic Web proxy detection using Active Directory Auto Discover is not possible. as follows: y y y y y y Forefront TMG deployed in a workgroup: Domain-based user authentication cannot be applied to an array. y Group policy deployment of the HTTPS inspection trusted root certification authority (CA) certificate to client computers is not possible. It is recommended that you use Forefront TMG Clients together with Forefront TMG for best performance and added functionality. User mapping is not supported (except for PAP and SPAP). For more information. Workgroup deployment limitations Issue: A number of limitations are associated with deploying Forefront TMG within a workgroup environment and not within a domain. Cause: Certain features are not supported when Forefront TMG is deployed within a workgroup environment. y y Forefront TMG EMS deployed in a workgroup: EMS replication is not supported. Client certificates cannot be used as primary authentication. Attempting to create a layered firewall deployment on a . see Workgroup and domain considerations. Multiple firewall products Installing other firewall products (such as a personal host firewall) on a Forefront TMG computer is not supported.Firewall Client 2006 Firewall Client 2004 Firewall Client 2000 Yes Yes Yes Yes Yes Yes Yes Yes No Yes Yes Yes Solution: Deploy a supported Client.

This is especially significant when performing upgrading the array to Window Server 2008 R2. such as worm protection. and solutions: y An array of Forefront TMG servers with different operating systems is not supported y y Forefront TMG and ISA Server cannot coexist in the same enterprise or array Forefront TMG does not support firewall chaining An array of Forefront TMG servers with different operating systems is not supported Issue: An array that contains some Forefront TMG servers with Windows Server 2008 SP2 installed. Cause: Forefront TMG and ISA Server require different configuration schema and settings.single server by adding additional firewall products will result in unpredictable behavior. is not supported. Array issues This section describes the following Forefront TMG array issues. Solution: You must build a new array and then migrate each Forefront TMG server to the new array (after each one completes the Windows Server 2008 R2 and then Forefront TMG installations). . Cause: All the Forefront TMG servers in an array must have the same operating system. Note: A number of antivirus products may also install some firewall components. either Windows Server 2008 SP2 or Windows Server 2008 R2. and other Forefront TMG servers with Windows Server 2008 R2 installed. and may cause the server to fail. Solution: No workaround. their causes. and cannot be simultaneously controlled by a single array manager. Forefront TMG does not support firewall chaining Issue: Forefront TMG does not support firewall chaining. which can result in unpredictable behavior. Forefront TMG and ISA Server cannot coexist in the same enterprise or array Issue: Forefront TMG and ISA Server cannot operate as members of the same array or enterprise.

see High Availability and Load Balancing on the Windows Server System Web site (http://go. Solution: No workaround. and solutions: y y y y y ISP redundancy does not support more than two external interfaces Forefront TMG does not support more than two default gateways Multiple DHCP default gateways are not supported ISP redundancy does not support e-mail protection Protocol-based load balancing is not supported with ISP redundancy feature ISP redundancy does not support more than two external interfaces Issue: Forefront TMG does not support more than two external connections to Internet Service Providers (ISPs). Forefront TMG does not support more than two default gateways Issue: No support for more than two default gateways. Solution: Configure your downstream servers as SecureNAT clients of the upstream server. Cause: Forefront TMG can support only two external connections with the ISP Redundancy feature. it is possible to set two default gateways. . Solution: To enable ISP redundancy.Cause: Firewall chaining has been deprecated and is no longer supported by Forefront TMG. or on two different adapters (one default gateway per adapter). their causes. There are a number of third-party products that may provide a solution. Cause: Forefront TMG does not support more than two default gateways configured on the same network adapter (within different subnets). ISP Redundancy issues This section describes the following ISP Redundancy issues. If only one network adapter is available. For more information.com/fwlink/?linkid=179985).microsoft. or use Web chaining. as long as each default gateway is in a different subnet. Using more than one default gateway is only supported for the ISP Redundancy feature. set the default gateway on each of the Forefront TMG network adapters to a different ISP.

To take advantage of the ISP redundancy functionality. Protocol-based load balancing is not supported with the ISP redundancy feature Issue: Forefront TMG cannot distribute traffic based on the protocol that is used (for example. use the SMTP publishing feature to publish the internal SMTP servers.Multiple DHCP default gateways are not supported Issue: Forefront TMG does not support configuring the ISP redundancy feature when your ISPs only support DHCP-assigned addressing. Cause: The ISP redundancy feature requires a NAT relationship with the external network in order to fail over the connection to an alternate ISP. HTTP through one link and SMTP through the other). SMTP listeners on the external NIC cannot take advantage of the ISP redundancy functionality as there is no address translation in mail traffic. Cause: Protocol-based load balancing is not supported with the ISP redundancy feature. their causes. Solution: No workaround. the e-mail traffic will not fail over to an alternate ISP link even if the ISP redundancy functionality is configured in Forefront TMG. Cause: Windows Server 2008 does not support multiple default gateways in DHCPassigned links. ISP redundancy does not support e-mail protection Issue: When e-mail protection using Forefront Protection for Exchange (FPE) is used in Forefront TMG. Network and Routing issues This section describes the following network and routing issues. and solutions: y Forefront TMG does not support defining networks that represent remote subnets y y y Configuring intradomain communications with a NAT relationship Internationalized Domain Names are not supported Domain names that include wildcard characters are not supported with link translation enabled y Configuring Forefront TMG with a single network adapter . Solution: No solution. Solution: Manually add both default gateways to the routing table on Forefront TMG.

and fails. If you define a separate network object for a remote subnet (instead of including it in the network definition). include subnet IP addresses in the IP address range for the internal network). Configuring intradomain communications with a NAT relationship Issue: Forefront TMG does not support intradomain communications between networks with a network address translation (NAT) relationship. y Apply rules to specific subnets by creating subnet objects in the Toolbox. Forefront TMG checks all network adapters. When a network includes remote subnets accessible by Forefront TMG through routers. Forefront TMG assumes that the adapter is not available (disconnected or disabled). Forefront TMG tries to locate an adapter with an IP address of the network object. it associates the network with that adapter. and sets network status to disconnected. take note of the following: y Include all network ranges for subnets in a network object¶s properties (for example. Cause: When you define IP address ranges for a network. the IP address of the remote subnets should be included in the network definition. Cause: There may be some circumstances in which you want to allow communication between domains or domain members that are separated by Forefront TMG. y Applications or servers located in the perimeter network need to be accessed by internal clients. When Forefront TMG finds an adapter with an IP address in the network range. and then using these subnet objects to specify the source and destination in access rules. Typical scenarios include: y A Web server located in the perimeter network that is a member of the internal domain needs to contact the domain controller in the internal network.y Protocol based Enhanced NAT is not supported Forefront TMG does not support defining separate network objects that represent remote subnets Issue: Forefront TMG does not support defining separate network objects that represent remote subnets. y Perimeter domain controllers require a domain trust relationship to a domain in another network. . Solution: For best practice when defining your network configuration in Forefront TMG.

Forefront TMG recognizes itself as the Local Host network.microsoft. not *. There is no concept of an external network.com. for example.microsoft. This is done either on the clients themselves. For example. Cause: In single network adapter mode. use www. *. Configuring Forefront TMG with a single network adapter Issue: A number of issues are associated with the configuration of Forefront TMG on a computer with a single network adapter. Domain names that include wildcard characters are not supported with link translation enabled Issue: Forefront TMG does not support the use of wildcard characters in the domain name when link translation is enabled.com and mail. y In the Public Name tab. or on the relevant router in your network infrastructure. Cause: When link translation is enabled. Solution: No workaround. specify the Forefront TMG interface as the default route for those clients. you can work around this issue by ensuring that all traffic to/from internal and remote subnet hosts are routed correctly through Forefront TMG. and everything else is recognized as the internal network. Internationalized Domain Names are not supported Issue: Forefront TMG does not support the use of IDN (Internationalized Domain Name) URLs.microsoft. y Multi-network firewall policy²Application level filters operate only in the context of the Local Host network (Forefront TMG protects itself no matter what . Solution: Do one of the following: y Disable link translation on the Link Translation tab of the Web publishing rule properties.com is not permitted. y Create routes on internal devices so that traffic destined for other networks is routed through Forefront TMG. Domain names including wildcard characters are therefore not allowed.microsoft. the rule must specify an explicit public domain name. there is no workaround. y If you want to support requests from SecureNAT clients. specify each Web site to which the rule will apply. where they are on the same subnet as Forefront TMG. rather than using a wildcard.com. If networks have a route relationship.Solution: If the networks use a NAT relationship.

which provides application layer inspection for Hypertext Transfer Protocol (HTTP). and this poses a problem when Forefront TMG tries to configure routing for the connectors and set their allowed remote ranges. y Application layer inspection²Application filtering is limited to the Web Proxy Filter and associated Web filters. so Forefront TMG is unable to NAT or route this traffic. Forefront TMG is unable to NAT or route this traffic. You can use access rules to allow non-Web protocols to and from the Forefront TMG computer only. y Virtual private networking²Site-to-site virtual private networks (VPNs) are not supported in a single network adapter scenario. A single network adapter includes the entire network and all of its IP addresses. Solution: Redeploy Forefront TMG with at least 2 network cards using the Edge. y E-mail protection²E-mail protection features are not supported. y Forefront TMG Clients²The Forefront TMG Client application forwards requests from Winsock to the Forefront TMG Firewall service. Cause: Protocol based enhanced NAT is not supported. y SecureNAT clients²SecureNAT clients use Forefront TMG as a router to other networks. and File Transfer Protocol (FTP) over HTTP for Web Proxy clients only. For more information. Secure HTTP (HTTPS). Dial-Up issues .network template is applied). y Server publishing²Server publishing is not supported. Solution: No workaround. In a single network adapter environment with no external network context. see the topics: Planning Forefront TMG network topology and About single network adapter topology. In a single network adapter environment this is a single-network context. No external network context means that Forefront TMG cannot provide the NAT functionality required in a server publishing scenario. Back Firewall or 3-leg perimeter network topology design. HTTP traffic is assigned one IP address and SMTP another). Protocol based enhanced NAT is not supported Issue: Forefront TMG cannot assign NAT IP addresses based on the protocol used (for example.

This section describes the following dial-up issues, their causes, and solutions: y y Forefront TMG overwrites Routing and Remote Access settings Dial-up limitations for non-VPN connections

Forefront TMG overwrites Routing and Remote Access settings Issue: Routing and Remote Access settings are overwritten by Forefront TMG. Demand-dial interfaces created with Routing and Remote Access are deleted. Cause: Remote access settings must be specified using Forefront TMG Management. Any demand-dial interfaces created or modified using Routing and Remote Access that do not match networks in Forefront TMG are overwritten and deleted by Forefront TMG. Note the following limitations when creating demand-dial interfaces using the VPN Wizard: y Forefront TMG does not support the assignment of a persistent connection, so any persistent connections you assign in Routing and Remote Access are deleted. This may be an issue if you want a VPN connection to configure automatically when the server comes online, rather than waiting for traffic to trigger the interface to dial. y Forefront TMG does not allow creation of multiple VPN connections to a particular network using different metrics. Such functionality allows more than one route to a particular network, so that if a primary route goes down, a backup route with different metrics is available. y Forefront TMG does not allow you to disable or enable specific services or network components on a specific VPN interface. y You cannot configure the number of redial attempts that the VPN connection makes. y Forefront TMG does not allow modem demand-dial interfaces.

Solution: For more information about solutions, see Knowledge Base article KB842639 (http://go.microsoft.com/fwlink/?linkid=51103). Dial-up limitations for non-VPN connections Issue: Forefront TMG supports dial-up connections to the Internet or a remote network using a modem connection or a virtual private network (VPN) connection. A number of limitations are associated with a non-VPN connection: 1: You can only configure automatic dialing for a non-VPN dial-up connection on one network.

Solution: If automatic dialing is used to connect directly to the Internet, select the external network for the automatic dial-up connection. You can also configure automatic dialing to connect to a branch office, or to a specific location in your organization. 2: Forefront TMG does not support customized routes. For example, if Forefront TMG dials a non-VPN connection to a remote network that is not the default gateway, this requires a custom route to the remote network. Forefront TMG overwrites Routing and Remote Access settings with its own settings. Forefront TMG creates and controls Point-to-Point Tunneling Protocol (PPTP) over Layer Two Tunneling Protocol (L2TP) interfaces, overwriting changes made in Routing and Remote Access. If modem connections are created in Routing and Remote Access, Forefront TMG deletes them. Solution: You can use Routing and Remote Access to add a demand-dial interface for the connection and create a static route for the connection. 3: Forefront TMG uses the local domain table (LDT) to determine whether a request is to an internal computer (in the LDT) and whether dialing out is required. There may be an issue with connections being constantly dialed if clients make a dial-up request for a URL that is not defined in the LDT. Solution: You can control whether the dial-up connection is dialed for DNS purposes. For more information, see Knowledge Base article KB901109 (http://go.microsoft.com/fwlink/?linkid=54622). Load balancing issues This section describes the following load balancing issues, their causes, and solutions: y y NLB is not supported in Forefront TMG Standard Edition Load balancing is not supported with Forefront TMG Clients or ISA Firewall Clients NLB is not supported in Forefront TMG Standard Edition Issue: Network Load Balancing on Forefront TMG Standard Edition is not supported. Cause: Forefront TMG Standard Edition cannot operate in a multi-server array, so integrated NLB is not possible. Consequently, multiple Standard Edition servers operating in an NLB cluster cannot be peer-aware. Management and maintenance of such a deployment is too difficult to be supportable. Solution: No workaround. To obtain support for NLB with Forefront TMG you must use the Enterprise version.

Load balancing is not supported with Forefront TMG Clients or ISA Firewall Clients Issue: Client machines running Forefront TMG Clients or ISA Firewall Clients may have issues connecting to an array of Forefront TMG servers with any type of load balancing configured on the related Forefront TMG network. Cause: Load balancing (either integrated or using an external load balancer) is not supported together with Forefront TMG Clients or ISA Firewall Clients. Solution: Instead of using a load balancer, use DNS round robin to point the clients to the Forefront TMG array member¶s dedicated IP addresses. VPN issues This section describes the following virtual private network (VPN) issues, their causes, and solutions: y DHCP address allocation for VPN remote clients not supported in a Forefront TMG array y y y IP filters configured on Network Policy Server not supported VPN User mapping issues Outbound L2TP connections are not supported by Forefront TMG configured as an L2TP/IPsec VPN server DHCP address allocation for VPN remote clients not supported in a Forefront TMG array Issue: Using a Dynamic Host Configuration Protocol (DHCP) server to assign IP addresses for VPN remote clients is only available in a single server Forefront TMG array. Cause: This option is only available in Forefront TMG Standard Edition, or in Forefront TMG Enterprise Edition with a single array member. This limitation applies when an array consists of more than one member and NLB is disabled, because there is no way to guarantee DHCP address allocation across the array members. Solution: Use static pool address assignment whenever there are multiple array members. IP filters configured on Network Policy Server not supported Issue: Noncompliant computers cannot access the remediation servers when IP filters have been properly configured as part of the NPS deployment. Cause: Forefront TMG does not support IP filters defined by Network Policy Server (NPS) policies.

or to a local user account on the Forefront TMG computer in a workgroup configuration. VPN client properties include the User Mapping tab. traffic to and from the L2TP protocol port (UDP port 1701) is secured by IPsec. Solution: To use CHAP. MS-CHAP. When you configure VPN remote client access. make Forefront TMG a domain member. user mapping is only supported for Password Authentication Protocol (PAP) and Shiva Password Authentication Protocol (SPAP) authentication methods. or one of them is in a workgroup. MS-CHAP version 2. When PAP or SPAP is used. In these scenarios. the domain specified in the user mapping is used to match the VPN client to a mirrored Active Directory account. Cause: You select Enable User Mapping to map VPN remote users connecting with non-Active Directory service credentials (such as a RADIUS user) to Windows accounts. or EAP. When RADIUS is authenticated with CHAP. VPN User mapping issues Issue: Do not enable user mapping when using Challenge Handshake Authentication Protocol (CHAP). This feature enables you to apply access rules that use Windows groups and users to apply to other users. With these default settings. Outbound L2TP connections are not supported by Forefront TMG configured as an L2TP/IPsec VPN server Issue: Outbound L2TP connections are not supported when Forefront TMG is configured as a VPN server that uses the L2TP/IPsec protocol. or any type of Extensible Authentication Protocol (EAP) authentication. and the VPN client can be matched to an Active Directory account in the local domain in which Forefront TMG is a domain member. or any type of EAP.Solution: To allow noncompliant NAP clients to access one or more remediation servers. the domain name is always ignored. the outbound L2TP client request is sent from the NAT address (usually the address of the Forefront TMG external network adapter) and the . MS-CHAP version 2. MS-CHAP version 2. y When Forefront TMG is configured as a VPN server that uses the L2TP/IPsec protocol. create an access rule on the Forefront TMG server from the Quarantined VPN Clients network to the appropriate remediation servers. and Quarantine VPN Clients networks to the external network. MS-CHAP. Microsoft Challenge Handshake Authentication Protocol (MS-CHAP). VPN Clients. if Forefront TMG and the Remote Authentication Dial-In User Service (RADIUS) server are in different domains. Cause: By default the following settings apply: y Network address translation (NAT) is applied to outbound traffic from the internal.

the original files should be restored. Solution: Use PPTP for outbound VPN connections.external VPN server responds to this address. so any customization to Forefront TMG HTML pages with the intention to add additional functionality. and solutions: y y y y Customization of HTML form pages for additional functionality is not supported Active-Directory-based Web proxy detection is not supported by firewall clients Port numbers appended to host headers Multiple server certificates not supported for a single SSL listener Customization of HTML form pages for additional functionality is not supported Issue: It is possible to customize HTML forms used on Forefront TMG for additional functionality beyond their intended usage. or do not use the L2TP/IPsec protocol when Forefront TMG is configured as a VPN server. which goes beyond the scope of intended use. the degree that any HTML page can be customized is very extensive. However. For more information on what customization is supported and how to implement the changes. Cause: Customizing the existing functionality of Forefront TMG HTML pages (for example. Active-Directory-based Web proxy detection is not supported by ISA Firewall clients Issue: ISA Firewall clients cannot automatically detect the Web proxy via Active Directory. but such customization is not supported. see the topics Customizing HTML forms and Customizing HTML error messages in Forefront TMG. is not supported. Forefront TMG does not forward the L2TP traffic from the external VPN server to the client because no matching IPsec policy exists. changing the error messages or using a custom logo) is encouraged and supported. Solution: If issues arise as a result of such customization of the Forefront TMG HTML pages. Publishing issues This section describes the following publishing issues. Note: Active-Directory-based Web proxy detection is not supported by clients in a . their causes. Cause: Active-Directory-based Web proxy detection is only supported on Forefront TMG Clients.

Solution: No workaround. y In an HTTPS-to-HTTP bridging scenario. Forefront TMG appends the port number to the host header.contoso.contoso. the host header sent to domain.com.contoso. Cause: Windows Schannel only allows a single certificate to be associated with a network listener.com:81. the host header is forwarded to the back-end Web server as <hostheader>:443. This behavior may be an issue where Web applications build links that are dynamically based on the host header. and the Web publishing rule for www.internal. . y Use the script discussed in Knowledge Base article KB925287 (http://go.com/fwlink/?LinkId=179984). In this case.com sends requests to domain.com:81 with www. Multiple server certificates not supported for a single SSL listener Issue: Only one SSL server certificate can be bound to a Web listener.site. Forefront TMG will use link translation to translate all internal links to the external name (including the port number). Solution: There are three possible solutions: y Add a mapping to the link translation dictionary to replace www. Forefront TMG Clients must be members of a domain. which is listening on port 80. and enable link translation (without making any addition to the dictionary). y Disable the option to forward the original host header to the server. you publish a Web site over a Secure Sockets Layer (SSL) connection.site.com.internal will be www. Port numbers appended to host headers Issue: When a publishing configuration requires redirection to a different port number.contoso. the server will build links according to the internal name. For example: y If you listen for Web requests on port 81.workgroup environment.microsoft.contoso. the host header in the request will be changed to www. In this case. Cause: This is by design for the link translation functionality of Forefront TMG.

ICP and ICAP protocols are not supported in Forefront TMG RPC over HTTP traffic inspection limitations Issue: RPC over HTTP traffic encrypts the RPC data in HTTP and is not inspected by the RPC filter. Cause: The RPC filter cannot inspect RPC over HTTP traffic because: . you cannot use a wildcard character certificate to authenticate to the back-end Web server. you can use a wildcard character certificate or a SAN certificate. Note that Forefront TMG only supports wildcard character certificates that are located on the Forefront TMG itself.com) for Forefront TMG. and solutions: y y y y y y y y y y y y y RPC-over-HTTP traffic inspection limitations Live Communications Server not supported on the Forefront TMG computer Forefront TMG does not support SIP traffic from an OCS server Forefront TMG does not support CNG certificates HTTPS inspection limitations Forefront TMG does not support range requests Secure FTP support FTP limitations for Web Proxy clients Forefront TMG does not support Routing Protocols Colocating Remote Installation Services with Forefront TMG Forefront TMG support in a virtual environment Forefront TMG does not support IPv6 traffic WCCP.contoso. you can acquire a wildcard character certificate (*. to publish sites OWA. and WebSite2 at contoso.com.Solution: To publish multiple SSL sites using the same IP address and port (listener). where all sites published use the same domain namespace. Protocol and Application issues This section describes the following protocol and application issues. In an HTTPS-toHTTPS bridging scenario. WebSite1. their causes. For example.

In outbound scenarios. Cause: CNG certificates are not usable by Forefront TMG. Solution: Deploy RPC over HTTP with these limitations in mind.com/fwlink/?LinkId=179985). Cause: OCS uses TLS for SIP traffic. 2. Workaround: Create certificates using Windows 2000 or Windows 2003 templates. The SIP filter in Forefront TMG cannot parse the TLS traffic. Cause: This is an untested scenario. y The RPC filter expects RPC communications to begin on the RPC endpoint mapper (TCP:135). Solution: No workaround. RPC over HTTP requests may be SSL-tunneled. NIS inspection still recognizes RPC within HTTP and performs behavioral and vulnerability filtering of the RPC traffic.microsoft. . Live Communications Server not supported on the Forefront TMG computer Issue: Running Live Communications Server on the Forefront TMG computer is not supported. Solution: No workaround. Note: 1.y Forefront TMG application filters cannot be chained to each other and Web filters cannot pass traffic to application filters. Forefront TMG does not support CNG certificates Issue: Forefront TMG does not support the use of certificates created using CNG (Certificate New Generation) based templates for Web listeners or as client certificate authentication in Web publishing or Web chaining rules. Solutions for OCS are provided by Security and Compliance Partners (http://go. and so it cannot protect against RPC exploits reaching an Exchange server. so HTTP inspection cannot occur following the initial CONNECT request unless HTTPS inspection is enabled. Forefront TMG does not support SIP traffic from an OCS server Issue: Office Communicator SIP calls from an OCS server cannot pass through the Forefront TMG SIP filter.

the Forefront TMG FTP filter cannot see the FTP commands and so cannot create the dynamic policy changes that are necessary to fully support FTP communications. Connections to external SSTP servers. Windows Media. Servers that require client certificate authentication. are examples of potentially affected client applications. Solution: There is an unsupported workaround available that allows you to publish secure FTP. see Publishing Secure FTP Servers behind ISA Firewalls at the ISAserver. Secure FTP support Issue: Forefront TMG does not support secure File Transfer Protocol (FTP). you must exclude the specific site from HTTPS inspection. For more information. Cause: The following features are not supported: y y y y Extended Validation (EV) SSL certificates. Solution: To work around this limitation do one of the following: Add the site to the Destination Exceptions list for malware inspection settings. Microsoft Update. download manager applications. Cause: The Forefront TMG malware inspection filter is not designed to assemble a file from multiple pieces that are retrieved out of order. Solution: To bypass a limitation. range headers are stripped from requests before being passed by Forefront TMG to the upstream server.microsoft.com/fwlink/?linkid=51105). and Adobe Reader. Cause: Secure FTP uses an encrypted control channel between the FTP client and server. When malware inspection is enabled. Forefront TMG malware inspection does not support range requests Issue: Forefront TMG strips off the range header when the malware inspection feature is enabled.HTTPS Inspection limitations Issue: There are a number of limitations you should be aware of when enabling the HTTPS Inspection feature on Forefront TMG. Create an access rule that allows traffic to the selected destinations and does not apply malware inspection. . After the FTP client and server establish an encrypted control channel.org Web site (http://go. CNG certificates.

and only FTP downloads are supported. Solution: There is no workaround for these limitations at this time. Solution: Use the following workaround: y y Open the complete range of UDP ports from the client to the TFTP server. Forefront TMG does not support routing Protocols Issue: Forefront TMG is not a router and does not directly support routing protocols such as Border Gateway Protocol (BGP). Open the complete range of UDP ports from the TFTP server to the client.com/fwlink/?LinkId=88856). Routing Information Protocol (RIP) or Open Shortest Path First (OSPF).microsoft. and do not allow any action that would change the content or structure of the FTP server. Forefront TMG has a predefined protocol for TFTP. Therefore you cannot use FTP upload from a Web Proxy client. credentials should be specified in the address bar using the following format: ftp://username:password@FTP_Server_Name. Forefront TMG uses PASV mode for FTP requests. y By default. Cause: RIS uses Trivial File Transfer Protocol (TFTP). For more information about troubleshooting outgoing FTP access. Cause: Forefront TMG has no built-in support for these dynamic routing protocols. Forefront TMG support in a virtual environment Forefront TMG is supported on hardware virtualization in accordance with the following programs: .FTP limitations for Web Proxy clients Issue: The following limitations apply: y Web Proxy client FTP requests are passed over HTTP. y To access FTP sites that require authentication. Remote Installation Services (RIS) takes an extreme length of time to deploy an image. Colocating Remote Installation Services with Forefront TMG Issue: When Forefront TMG is installed. with a secondary connection defined as all User Datagram Protocol (UDP) ports. see Troubleshooting Outbound FTP (http://go. but this will only work when the Forefront TMG Client is installed on the client computer. Solution: No workaround.

and all IPv6 traffic is blocked by default. Forefront TMG system requirements. such as Microsoft Virtual Server or a similar 3rd-party product. For hardware virtualization platforms not listed with the SVVP. If the problem cannot be reproduced in hardware or on a SVVP-listed server virtualization product of similar class. such as Microsoft Virtual PC or a similar 3rd-party product is supported for demonstration and educational use only. Forefront TMG will be supported for production use on that platform within the limits prescribed in the Microsoft Product Support Lifecycle. y Server Virtualization. but not recommended for production use. limited as follows: y Desktop virtualization. Tip: For more information and best practices on edge virtualization. if a hardware virtualization platform is listed as ´validated´ with the SVVP (not ³under evaluation´). Support Policy for Microsoft software running on non-Microsoft hardware virtualization software. the case may be deferred to the 3rd-party vendor product support. Forefront TMG does not support IPv6 traffic Issue: IPv6 traffic is not supported by Forefront TMG (except for DirectAccess). and the system requirements for that product version and edition. before continuing with the case. Cause: Filtering of IPv6 traffic is not supported. nonMicrosoft hardware virtualization policies. Forefront TMG is supported in accordance with remaining Microsoft support policies. For example. To disable the IPv6 stack on the Forefront TMG computer . Microsoft Server Virtualization Validation Program (SVVP). is supported.com/fwlink/?LinkId=178740). read Security Considerations with Forefront Edge Virtual Deployments (http://go.y y y y Microsoft Support Lifecycle.microsoft. Solution: It is recommended that you disable IPv6 traffic on the Forefront TMG computer or array members. Important: Microsoft support engineers may request that a customer reproduce a reported problem on real hardware or within an SVVP-listed hardware virtualization platform.

Cause: Internet Explorer may send an extraneous NTLM authentication header on a connection that has already been authenticated using integrated authentication with the downstream Forefront TMG computer. Solution: For details on this behavior and workarounds. Authentication issues This section describes the following authentication issues. y y No authentication is required (anonymous) on the upstream Web proxy server. when you browse the Web in a chained configuration. see the following Knowledge Base articles: . are not supported in Forefront TMG. and solutions: y y y NTLM authentication issues in a chained Web proxy scenario Kerberos authentication issues in a chained Web proxy scenario Issues with clients authenticating on both downstream and upstream servers in a chained Web proxy scenario y y y Web Proxy SSL Connections are only supported for chained proxy connections Forefront TMG access rules cannot authenticate based on a computer account LDAP authentication in Forefront TMG NTLM authentication issues in a chained Web proxy scenario Issue: You may experience problems such as unexpected delays. see Knowledge Base article KB929852 (http://go.com/fwlink/?LinkId=179983). or random authentication warning messages. ICP and ICAP protocols are not supported in Forefront TMG Issue: The Web Cache Communication Protocol (WCCP). incomplete pages. WCCP.or array member.microsoft. Solution: No workaround. Internet Explorer is the client browser. the Internet Cache Protocol (ICP). This can occur when the following conditions are true: y The downstream Forefront TMG computer is configured to require integrated (NTLM) authentication. Cause: This functionality does not exist in Forefront TMG. their causes. and the Internet Cache Adaption Protocol (ICAP).

microsoft.com/fwlink/?LinkId=180368)) Issues with clients authenticating on both downstream and upstream servers in a chained Web proxy scenario Issue: When a client tries to authenticate with the upstream Forefront TMG server. Solution: Implement one of the following solutions: y If unique client authentication is necessary on the downstream Forefront TMG server: Configure the downstream Forefront TMG server Web chaining rule to provide credentials to the upstream Forefront TMG server. authentication fails if the client is also required to authenticate with the downstream Forefront TMG server. This can occur when the following conditions are true: y You configure an upstream Forefront TMG that requires Kerberos authentication. authentication fails if the client tries to use Kerberos authentication. or configure the upstream Forefront TMG server to allow traffic anonymously (no authentication). This ticket cannot be used to authenticate with the upstream Forefront TMG. Kerberos authentication issues in a chained Web proxy scenario Issue: When a client tries to authenticate with the upstream server. . the client computer obtains a Kerberos ticket for the downstream server.y y KB883285 (http://go. y You configure a downstream Forefront TMG that does not require authentication (anonymous).microsoft. the upstream Forefront TMG cannot validate the ticket. Cause: When the upstream Forefront TMG requests authentication. KB810561 (http://go. Solution: Deploy Kerberos authentication with this limitation in mind. This Kerberos ticket is valid for authentication with the downstream Forefront TMG. A scenario where both Forefront TMG servers require unique client authentication is not supported. When the Kerberos ticket is presented to the upstream Forefront TMG. Cause: Clients cannot transparently authenticate with both a downstream and an upstream Forefront TMG server.com/fwlink/?linkid=54627).microsoft. causing authentication to fail. or configure the upstream Forefront TMG server to only use NTLM authentication (accomplished by running the script given in KB927265 (http://go.com/fwlink/?linkid=54626).

In this scenario. allowing a specific user working from home full access from a corporate laptop.microsoft. For example. This can occur when the Web proxy listener of Forefront TMG is enabled for Windows Integrated authentication. Forefront TMG can use a client certificate to authenticate against an upstream Forefront TMG computer. Forefront TMG access rules cannot authenticate based on a computer account Issue: Forefront TMG access rules cannot authenticate based on a computer account. you can define an SSL connection between a downstream Forefront TMG computer and an upstream Forefront TMG computer. A rule is evaluated and applied if all the rule's conditions are met. However. Solution: No workaround. a user only needs to belong to one of the groups in order for the rule to be applicable. Cause: This listener is designed for use in Web-chained configuration when Basic delegation is used to prevent credentials sniffing. Within a particular tab. Web Proxy SSL connections are only supported for chained proxy connections Issue: A Web Proxy client application is not supported with the SSL Web proxy listener. but limited access from a home computer. groups. if you specify a computer account on the Users tab. because they cannot establish more than one SSL session on a TCP connection. . when the specified computer authenticates to a domain controller using Kerberos. Note that only integrated (NTLM) authentication is supported in this scenario (see Kerberos authentication issues in a chained Web proxy scenario). Web proxy clients may be configured to use and authenticate to this listener.y If unique client authentication is necessary on the upstream Forefront TMG server: Configure the downstream Forefront TMG server to allow traffic anonymously (no authentication). if the Users tab indicates that authentication is applied to three groups. and the client supports Kerberos authentication (for example Windows Update). Cause: Forefront TMG can only use a computer account for rule authentication under specific circumstances. and identifies the computer originating a request on the From tab. but CERN proxy SSL connections cannot be established through it. Forefront TMG allows you to specify users. On the Users tab. run the script given in KB915025 (http://go. To ensure caching is possible on the downstream Forefront TMG server in this scenario.com/fwlink/?LinkId=180367). and security principals to be authenticated on a rule. only applications running under the Local System or Network Service account on the specified computer will be authenticated. a rule is applied if any of the conditions are met. for example. Forefront TMG evaluates authentication conditions for a rule from the settings on the Users tab of that rule.

authentication of the client application using the computer account will fail to match the rule. Cause: In Forefront TMG. Create an access rule from the VPN Quarantine Clients network to the destination network. For this solution to work. The VPN Quarantine Clients network will include the home computer. The VPN Quarantine network must be enabled. LDAP authentication is available only as an authentication method in Web publishing scenarios. Specify a more limited access policy in this rule. and add user accounts as required. you must include the Quarantine solution on each of the corporate computers. 2. and access allowed or denied in accordance with the rule settings. If a rule has both a domain user group and a computer accounts group specified. add a user account. If only a domain group that is limited to user accounts is specified on the Users tab. and optionally. Specify a more permissive policy on this rule. LDAP authentication in Forefront TMG Issue: LDAP authentication is not supported for access rules. and ensure that the disconnection time is not specified (this is the default setting). The VPN Clients network will include the corporate laptop. . the rule can be matched for a computer account. Create an access rule from the VPN Clients network to the destination network. With this setting. as follows: 1. Solution: One workaround to differentiate remote clients by computer might be to use a VPN solution. Solution: No workaround.You specify a computer account (DomainName\ComputerName$) on the Users tab. any service (running under the Local System account or the Network Service account) that runs a Kerberos-enabled client will be authenticated.

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->