How to install the Forefront Threat Management Gateway (Forefront TMG) Beta 1.

• • • • • • •

Published: May 06, 2008 Updated: May 06, 2008 Section: Tutorials :: Configuration - General Author: Thomas Shinder Printable Version Adjust font size: Rating: 4.2/5 - 46 Votes
Top of Form

• • • • •

1 2 3 4 5
Bottom of Form

If you havenít heard yet, the ISA Firewall is going away. The last version of the ISA Firewall is going to be ISA 2006. However, that doesnít mean that the ISA software that weíve come to love over the year is going away. While the ISA brand will fall into the dustbin of history, weíll see the next version of the ISA Firewall come in with a new name: the Forefront Threat Management Gateway.

There are a number of reasons why the ISA name is going away. But probably the primary reason is that the general public never seemed to be able to figure out what the ISA Firewall was all about. Some people thought it was just a Web proxy server (a la Proxy 2.0), some people thought it was just a firewall, some people thought it was a VPN server, some people thought it was a VPN gateway, and some people thought it was some kind of Frankenstein and couldnít make any sense out of it. By renaming the product, the Forefront TMG should be able to get some newfound attention, and hopefully the name itself will provide a clearer focus on the primary design goal of the product. In this article Iím going to give you a look at the installation process. However, before installing the TMG, you need to know the following:

TMG will only run on 64-bit Windows Server 2008. There will be a 32-bit demo version after the TMG goes RTM, but there wonít be any beta versions that run on 32-bit Windows TMG requires at least 1 GB of memory (it will probably run on less, but not very quickly) 150 MB of disk space At least one NIC (although I always recommend two or more NICs to provide true security) You must install to the default folder on the C: drive TMG will install IIS 7 on your machine in order to support SQL reporting services. If you remove TMG from the machine, II7 will not be removed for you and you will need to do that manually Services and driver files for the TMG are installed in the TMG installation folder For the beta 1 version of the TMG, the TMG machine must be a domain member. In future betas, non-domain membership will be supported.

• • •
• •

• •

In this article series (should end up being two parts), I am installing the TMG on a Windows Server 2008 Enterprise edition machine that is running as a VM on VMware Virtual Server 1.0. The VM has two interfaces: one interface is bridged to the external network and will act as the external interface and the second interface is placed on VMNet2, which will be the interface on the default Internal Network. Note that the networking model for the TMG has not changed from that used by the ISA Firewall. Download your TMG software. The TMG is one of the several pieces of software that comprise the Forefront Stirling collection of products. You can download all of the them, or just the TMG. The TMG will work fine

without Stirling, but Stirling is something that you definitely want to get to know about in the future. Double click the file you downloaded. Youíll see the Welcome to the Welcome to the InstallShield Wizard for the Forefront Threat Management Gateway page. Click Next.

Figure 1 Install the files to the default location, which is C:\Program Files (x86)\Microsoft ISA Server. Click Next.

Figure 2 The files will be extracted to that location.

.Figure 3 Click Finish when the extraction finishes.

exe file. .Figure 4 Go to the C:\Program Files (x86)\Microsoft ISA Server folder and double click the ISAAutorun.

Click the Install Forefront TMG link.Figure 5 This opens up the Microsoft Forefront TMG 270-Day Evaluation Setup dialog box. .

.Figure 6 This bring up the Welcome to the Installation Wizard for Microsoft Forefront Threat Management Gateway page. Click Next.

Notice that license agreement still contains the old code name of the product. which was Nitrogen. select the I accept the terms in the license agreement option and click Next.Figure 7 On the License Agreement page. .

Figure 8 On the Customer Information page. The Product Serial Number will be filled in for you. . enter your User Name and Organization. Click Next.

. you have the option to install the Forefront TMG or install only the TMG Management console.Figure 9 Here we see a new setup option that wasnít available in previous version of the product. In this example weíre installing the entire product. so weíll select Install Forefront Threat Management Gateway and click Next. On the Setup Scenarios page.

Click Next. However. . that functionality is not available with this version of the TMG and will be available in later betas. you have the options to install the TMG firewall software. you guess it. In this example weíll install all of these options in the default folder (we need to install in the default folder for this version of the TMG). The TMG will be sold as a single edition and this single edition uses the CSS. However. There are no more Standard and Enterprise editions of the ISA firewall. even if you have only a single member TMG array. and the CSS. Yes. the TMG management console. you will be able to create arrays using the TMG.Figure 10 On the Component Selection page.

Figure 11 It looks like I have a problem here. While the machine is a member of the domain. . I forgot to log on with a user account that is a domain member. you must be logged on as a domain user that has local administrator privileges on the TMG machine. In order to install the TMG.

Weíll pick up where we left off after I log off and log on again and restart the installation. .Figure 12 Looks like Iím going to have to restart the installation.

This is where you define the default Internal network. Iíll bet a quarter that it doesnít. one thing I donít know is if I change the configuration of the routing table on the ISA Firewall if the definition of the default Internal Network will automatically change. youíll recognize this page from previous version of the ISA Firewall. we pick up the installation process on the Internal Network page. but itís something weíll have to check into in the future. If youíre installed the ISA Firewall.Figure 13 Now that Iím logged on as a domain user with local admin privileges. since this will define your default Internal network based on the routing table configured on the ISA Firewall. In almost all cases you should select the Add Adapter option. However. .


Figure 15 The Services Warning page informs you that the SNMP Service. Click Next. the World Wide Web Publishing Service and the Microsoft Operations Manager Service will all be restarted during the installation.Figure 14 The Internal Network page now shows the definition of the default Internal Network. but you should be aware of the SNMP and Microsoft Operation Manager Service restart. the IIS Admin Service. . Itís unlikely that youíll have already installed the Web server role on this machine. Remember. TMG will install and configure IIS 7 for you. so you donít need to worry about the IIS Admin Service or the World Wide Web Publishing Service.

Figure 17 .Figure 16 Click Install on the Ready to Install the Program page.

The progress bar shows you the installation progress. Here you can see the CSS being installed. Put a checkmark in the Invoke Forefront TMG Management when the wizard closes checkbox. Click Finish. Figure 18 It worked! The Installation Wizard Completed page shows the installation has completed successfully. .

and reading the Security and Protection section in the Help file. One thing I can tell you about the Help File so far is that theyíve done a fantastic job at upgrading its content. Here youíre provided information on turning on Microsoft Update. I recommend that you spend some time reading the Help file.Figure 19 At this point youíll see the Protect the Forefront TMG Server Web page. . and much more real world deployment information included with the new and improved Help File. the TMG Help File is going to provide you some new insights. I guarantee that even if youíre a seasoned ISA Firewall admin. running the ISA BPA. There is much more information.

and an optional fourth one that weíll see when we finish the first three. Click the Configure network settings link on the Getting Started Wizard page.Figure 20 After the initial installation is complete. The first wizard is the Configure network settings wizard. There are three basic wizards included in the Getting Started Wizard. The Getting Started Wizard is new with the TMG and wasnít available in the previous versions of the ISA Firewall. youíll see the new Getting Started Wizard. .

Figure 21 On the Welcome to the Network Setup Wizard. . click Next.

In this example. .Figure 22 On the Network Template Selection page. Click on each of the options and read the information provided on the lower part of the page. Click Next. select the network template that you want to apply to the TMG. These are the same network templates that were available with previous versions of the ISA Firewall. weíll use the preferred template. which is the Edge firewall template.

0. Also. you select the NIC that you want to be the LAN interface on the ISA Firewall by clicking the drop down menu for Network adapter connect to the LAN.0.0. .0-10. First.Figure 23 On the Local Area Network (LAN) Settings page. Will the definition of the default Internal Network change? What if I add a static route on the internal interface of the TMG? Will these change be reflected in the definition of the default Internal Network? I donít know. The IP addressing information for this NIC will appear automatically.0.255 but then decided to change the IP address on the internal interface on this page so that the was on a different network ID. Click Next. but itís something to investigate in the future. One thing I donít know is what changes on this page will do to the definition of the default Internal Network. Suppose I configured the default Internal Network to be 10. you are given the opportunity to configure IP addressing information on the LAN interface. You can make changes to the IP addressing information here. you can create additional static routes by clicking the Add button. I wonít make any changes on this page as I had already set up the internal interface with the IP addressing information I required.

. Iíll make no changes here. Also like the last page.Figure 24 The Internet Settings page allows you to configure IP addressing information on the external interface of the TMG firewall. you can change the IP addressing information. Since I already configured the external interface with the IP addressing information I wanted it to have. Like the last page. Click Next. you select the NIC that you want to represent the external interface by clicking the Network adapter connected to the Internet drop down list.

Click Finish. .Figure 25 The Completing the Network Setup wizard page shows you the results of your changes.

The next wizard is the Configure system settings wizard. Click the Configure system settings link.Figure 26 This takes you back to the Getting Started Wizard page. .

Figure 27 Click Next on the Welcome to the System Configuration Wizard page. .

Click Next. In this example. you have the opportunity to enter a primary DNS suffix that the ISA Firewall can use to register in your domain DNS. if the machine is a workgroup member. it has automatically detected the host name of the machine. Also.Figure 28 The Host Identification page asks you about the host name and domain membership of the TMG firewall. and to leave the domain if you want to. I suspect that this wizard will allow you to join a domain if you havenít yet done so. Since I have already configured this machine as a domain member. I donít need to make any changes on this page. The wizard has also identified the domain membership of the machine. if you have DDNS enabled and you donít require secure DDNS updates. . which is TMG2009.

.Figure 29 Thatís it for the System Configuration Wizard. Click Finish on the Completing the System Configuration Wizard page.

Click the Define deployment options link. .Figure 30 One more wizard on the Getting Started Wizard page.

.Figure 31 Click Next on the Welcome to the Deployment Wizard page.

. Note that not only does the TMG use the Microsoft Update service to update the OS and the TMG firewall software. Click Next. Since one of the major advantages of using an Microsoft firewall over other firewalls is the excellent auto-update feature.Figure 32 On the Microsoft Update Setup page. every 15 minutes). which is does several times a day (by default. weíll go ahead and using the Microsoft Update site. it also uses it to check for malware definitions. you have to the options Use the Microsoft Update service to check for updates and I do not want to use Microsoft Update Service.

You can also set the polling frequency. Click Next. check only or do nothing with malware inspection updates. and then configure the time of day when you want those updates installed. However. you can set the updates to be downloaded once a day. which is set at every 15 minutes by default. you select whether you want the TMG firewall to check and install. .Figure 33 On the Definition Update Settings page.

. No information shared with Microsoft can be used to identify you. social security number. birth date.Figure 34 On the Customer Feedback page. and no private information is released to Microsoft. and I trust Microsoft a lot more than I trust my bank. drivers license number and address with my bank. Select Yes. given the bankís requirements to share information with the Federal Government. I am willing to participate anonymously in the Customer Experience Improvement Program (recommended) option. I figure I share my name. and it helps make the product more stable and secure. So sharing this technical information with Microsoft is a no-brainer. choose whether or not you want to provide anonymous information to Microsoft on your hardware configuration and how the product is used.

but since Iím in the habit of trusting Microsoft. personal information might be inadvertently sent to Microsoft. The Microsoft Telemetry Service helps protect against malware and intrusion by reporting information to Microsoft about potential attacks. Click Next. but Microsoft will not use this information to identify or contact you. Iíll select the Join with an advanced membership option. In some instances.Figure 35 On the Microsoft Telemetry Service page. . Itís hard to determine what kind of personal information might be sent. you can configure your level of membership in the Microsoft Telemetry service. which Microsoft uses to help identify attack patterns and improve precision and efficiency of threat mitigations.

Figure 36 The Completing the Deployment Wizard page shows the choices you made. Click Finish. .

If you put a checkmark in the Run the Web Access wizard checkbox. But that doesnít mean that youíre done. .Figure 37 Thatís it! Youíre done with the Getting Started Wizard. the Web Access Wizard will start. Letís put a checkmark there and see what happens.

Since this is a new way of creating TMG firewall policies. It seems that the TMG will allow you to configure Web Access Policy in a way thatís a bit different than how we did it with previous versions of the ISA Firewall.Figure 38 This starts the Welcome to the Web Access Policy Wizard. . so I want to make sure we have an article dedicated to this feature. I think weíll wait until the next article to get into the details of this wizard.

Also. . we can see the new console. we see a new node. the Update Center node. This is where you can get information about updates to the anti-malware feature of the TMG. which makes navigation a bit easier. youíll see that there arenít any nested nodes. and also find out when the malware updates where installed.Figure 39 Now that installation is complete. If you look at the left pane of the console.

. I was able to solve this problem by restarting the computer.Figure 40 After installation completed. Iím not sure if there is related to running the TMG firewall on VMware Virtual Server. I found that there were some errors. But this might be related to the fact that the TMG didnít work at all after the installation was complete. or if this is a beta bug.

Figure 41 Taking a look at the Initial Configuration Tasks you can see that a number of roles and services were installed on this computer as part of the TMG installation. These include: • • • • • • Active Directory Lightweight Directory Services (ADAM) Network Policy and Access Services (required for RRAS and VPN) Web Server (IIS) (required for SQL reporting services and TMG reporting) Network Load Balancing Services (required for NLB support) Remote Server Administration Tools (donít know why these were installed) Windows Process Activation Service (most likely secondary to the Web server role requirements) .

Figure 42 Summary .

Thanks! ñ Tom. the installation experience isnít a place where I expect to be wowed. while sometimes first impressions are lasting impressions. But thatís OK. Remember that itís beta one and expect to see some things in the future that are going to make you very happy. I donít want that to be the case for your first view of the TMG firewall. There were a few changes from what weíve seen in previous versions of the ISA Firewall. donít get too worried yet. What we did see were a few nice improvements in the installation routine that gives you some more flexibility during setup. So.In this article we went through the installation process for the TMG firewall. I know there are more than a dozen features that have been repeatedly requested ever since the released of ISA 2000. and you donít notice any of the features that you were hoping for. If you take some more time to look at the TMG firewall software after installation. This is a very early beta version and I suspect that it far from feature complete. but nothing earthshaking. .

Sign up to vote on this title
UsefulNot useful