- Forefront Threat Management Gateway 2010 Product Key
- Microsoft Forefront Gateway
- Microsoft Forefront Threat Management Gateway
Microsoft Forefront Threat Management Gateway 2010 (Forefront TMG 2010) was released on 17 November 2009. It is built on the foundation of ISA Server 2006 and provides enhanced web protection, native 64-bit support, support for Windows Server 2008 and Windows Server 2008 R2, malware protection and BITS caching.
Forefront Threat Management Gateway 2010, or commonly referred to as TMG 2010, is the long awaited latest and greatest release of Microsoft’s Internet Security and Acceleration (ISA) server in which we have all come to love or hate over the years. TMG builds on ISA’s ability to deliver a comprehensive application layer reverse proxy firewall and is usually deployed on the edge of your network or in between an existing edge such as a firewall provided by Cisco or Checkpoint. Today, I will begin a series of articles on installing and configuring Forefront TMG 2010, discuss some of the new features that have been integrated into this release before providing a step by step guide in securely publishing web sites such as Outlook Web App (OWA) or internal SharePoint web sites.Let’s begin by outlining some of the key new features that TMG introduces over ISA.
- URL Filtering: TMG now integrates a comprehensive web filtering subscription services that is tightly integrated into the TMG management console. Organizations can creates rules to block or allow web sites based on category such pornography, violence, shopping etc. This was usually only possible by using 3rd party services such as Websense/Surfcontrol or Symantec and usually required additional hardware requirements and extra servers on top of your ISA implementation.
- Web anti-malware: Another subscription based service that provides protection over web sites/pages that may contain malware and viruses.
- Email protection: Yup, you guessed it. Another protection subscription service that utilises Forefront Protection for your Exchange servers and scans emails for viruses and spam content before they are delivered to your Exchange mailboxes.
- Network Inspection System: Commonly referred to as NIS, this out of the box feature scans traffic for any exploits based on any outstanding Microsoft Vulnerabilities.
- Other features: These include the long awaited 64 bit and Windows 2008 support for greater scalability, Enhanced NAT for 1-1 publishing, and Enhanced VOIP capabilities that should make for simpler voice deployments.
http://technet.microsoft.com/en-au/library/dd896981.aspx
After ensuring the minimum requirements are met, launch the autorun.hta and on the main setup splash page, begin by running the preparation tool. Because my machine is joined to the network and is running WSUS, I have purposely skipped the Run Windows Update, however please do so in the event you are not running WSUS in your environment.
Select Forefront TMG services and Management. Click Next.
The Installation proceeds and begins configuring the necessary Windows Roles and Features that are required by TMG.
The installation begins and the wizard outlines the 3 core stages and estimated times.
Once the welcome screen appears, click Next.
Once the welcome screen appears, click Next.
Specify your installation path. Click Next.
Add your Internal Network Address Ranges. Click Next.
You will receive the below warning message advising of services that will be restarted during the installation. Click Next. Then click Install.
Upon launching Forefront TMG for the first time you will be presented with a Getting Started Wizard which will assist in getting you up and running in 3 easy steps. Please note that if you are looking at importing your existing ISA 2006 Server configuration settings to the new TMG server then you much close the wizard and accomplish this task first.
Let’s begin by going through the 3 stages of the Getting Started Wizard. The first stage is Configuring your network settings.
Click Next
![Microsoft Microsoft](/uploads/1/2/6/4/126451689/671221333.jpg)
The below screen capture similarly to ISA 2006 allows you to select a network template and in this instance will detect what different types of network setups are configurable based on the number of adapters installed on your TMG server. In my instance, I only have one single adapter and this has been reflected in the below screen capture. This TMG setup is purely acting as a second layer application firewall publishing our Web Applications such as SharePoint and Outlook Web App.
Click Next
Specify your IP address settings. It is best practice that you specify a static IP address to your TMG server as opposed to utilising DHCP.
Click Next and Finish.
You will then be presented with Stage 2 of the Getting Started Wizard, Configure system settings.
The system will attempt to determine Host identification details such as Computer name, Windows domain and DNS suffix.
Click Next and Finish.
The third and final stage of the Getting Started Wizard is defining your deployment options.
Click Next
Specify whether Forefront TMG will use the Microsoft Update Service to check for updates. Please note, that if your TMG server is configured to use WSUS then it will utilise this method first and use the Microsoft Update service as a fallback method.
The next screen allows us to configure TMG’s protection features such as Network Inspection System (NIS) and Web Protection. As mentioned earlier in the post, these are paid subscription based services, however Microsoft do provide you with a 120 days complimentary evaluation of these 2 product offerings.
Click Next
Specify your NIS signature update settings and how often it will check for new updates.
Click Next.
In the next screen, specify whether you want to participate in the Customer Feedback Improvement Program.
Click Next
In the next screen you will be provided with the opportunity to participate in the Microsoft Telemetry Reporting Service where malware attacks etc are sent to Microsoft, assisting them with improving TMG and it’s signatures.
Click Next and then Finish.
Upon clicking close, TMG will provide you with the ability to Run the Web Access Wizard to create your first rule. We will be discussing Access Rules and Publishing Rules in upcoming articles in this TMG series.
Forefront Threat Management Gateway 2010 Product Key
I’d be interested to know how many TMG deployments are out there and how many are considering replacing their existing ISA boxes with TMG 2010.References
Forefront TMG Planning and Design; http://technet.microsoft.com/en-au/library/cc441674.aspx
Forefront TMG Deployment; http://technet.microsoft.com/en-au/library/cc441445.aspx
Installing Forefront TMG; http://technet.microsoft.com/en-au/library/cc441440.aspx
Microsoft Forefront Gateway
Forefront TMG 2010 adds two new subscription-based features, known collectively as Forefront TMG Web Protection Services (WPS). These features include URL Filtering (URLF) and Anti-Malware or Enhanced Malware Protection (AM or EMP). One thing that makes these features unique within Forefront TMG is that they are licensed separately from Forefront TMG itself. This blog will discuss the various licensing and purchasing options available for URLF and EMP subscriptions and guide you through managing the license details in Forefront TMG management.
WPS Purchasing and Pricing
The first thing most people want to know is “How do I get a Forefront TMG WPS license and how much does it cost?”
Forefront TMG WPS is subscription product licensed per user or per device.This subscription is only offered through Microsoft Volume Licensing programs, and must be purchased separately from Forefront TMG 2010. Forefront TMG WPS is included in Forefront Protection Suite and ECAL.You can find information on purchasing Forefront TMG WPS through Microsoft or a Microsoft partner at http://www.microsoft.com/forefront/threat-management-gateway/en/us/purchase.aspx.
The Forefront TMG WPS pricing structure is outlined in http://www.microsoft.com/forefront/threat-management-gateway/en/us/pricing-licensing.aspx.
You may want to take advantage of Forefront TMG WPS while you wait for your license to arrive; or perhaps you want to give WPS a test drive before you decide whether you want to purchase a license. Regardless, TMG provides a free 120-day trial subscription that goes into effect as soon as you deploy Forefront TMG 2010.
Using the Getting Started Wizard (GSW)
The Getting Started Wizard (GSW) provides one way to configure these options. During this process, you can choose to enable HTTPS Inspection, URLF and EMP as well as whether to use the evaluation license (selected by default). The following steps show you where you make these choices in the GSW.
Note: if the TMG computer is a member of an array, the GSW is not available. In this case, you must use the Without the GSW steps
When the installation wizard completes successfully, you are offered the option to launch the Forefront TMG management console. Select Launch Forefront TMG Management when this wizard closes and click Finish as shown below:
Figure 1- GSW TMG management startup
1.When the Forefront TMG management console opens, the GSW appears. Proceed through the Configure Network Settings and Configure System Settings wizards
2.When the Configure System Settings wizard completes, click on Define Deployment Options as shown below:
Figure 2 - GSW deployment options
3.In the Welcome to the Deployment Wizard page, click Next
4.In the Microsoft Update Setup page, select Use the Microsoft Update service to check for updates (recommended) and click Next
Microsoft Forefront Threat Management Gateway
5.In the Forefront TMG Protection Features Settings page Web protection area, make the following selections as shown below and click Next:
Figure 3 - GSW Web protection license
Note: as shown above, Forefront TMG automatically enables the evaluation license and sets the expiration data for 120 days from the installation date, regardless whether you enabled Forefront TMG WSP. If you already have your Forefront TMG WPS subscription license, you should change the license options using your license key (Enterprise Agreement number) and EA expiration date as shown below:
Figure 4 - Entering the license in GSW
6.Continue through the remaining Deployment Options Wizard pages using options appropriate to your environment
If the GSW has already been run, but Forefront TMG is not yet joined to an array, you can still use the GSW to perform these tasks.
1.Open the Forefront TMG management console
2.In the left pane, select <ArrayName>
3.In the right pane, click Launch Getting Started Wizard
4.When the Getting started Wizard appears, click on Define Deployment Options as shown below:
Figure 5 - Re-running the GSW
5.Continue with step (4) in Immediately After TMG Installation
Without the GSW
If you joined Forefront TMG to an array, the GSW isn’t available to configure Forefront TMG WSP licensing. In this case, you need to accomplish this task in a different way.
Tenis lapangan. Play with artificial intelligence and become better.
Note: because the same license information applies equally to URLF and EMP, this task only needs to be performed once; not once for each feature.
1.Open the Forefront TMG management console
2.In the left pane,
3.Expand
a.(Enterprise Edition) Arrays, then <ArrayName>
b.(Standard Edition) <ArrayName>
4.Select Web Access Policy
5.In the right pane, clickConfigure Malware Inspection
6.In the Malware Inspection page, click License Details.
7.In the License Details page, you will see that the license is “Evaluation” as shown below:
Figure 6- License details in Malware Inspection controls
8.If you want to activate your license, enter the Enterprise Agreement number and expiration date in the fields provided as shown below:
• Batman - The Complete Animated Series.nfo [1.19 KB] • Films • Batman & Mr. Batman animated series stream. Freeze - SubZero (1998) • Batman & Mr.
Figure 7 - Entering license details in MI control
9.Click Apply, then OK
In the center pane, click Apply to enforce your new policy. When prompted, enter a description for this change (hey - the URL for this blog could work) and click OK
Monitoring License State
Something the Forefront TMG product team foresaw is the need for the Forefront TMG administrator to get advance warning that the Forefront TMG WPS license is nearing expiration or that it has already expired. Thus, they created two new alerts specific to this feature set as shown below:
Figure 8 - License alerts
·License Expired this error alert is triggered when the Forefront TMG WPS license expiration date has passed. At this point, Forefront TMG is no longer receiving EMP updates nor is it issuing MRS queries.
·License Nearing Expiration this warning alert is triggered when the current date is within one month of the expiration date. Forefront TMG continues to obtain EMP updates and issue MRS queries until the license actually expires.
These two alerts are enabled by default and both are configured to write an event to the Windows Application event log when they are triggered. This makes it possible for any standard server monitoring system to be monitor for these alerts and thus make you aware when you need to take action regarding your license.
If your license has expired, and you attempt to initiate an update cycle from the Update Center in Forefront TMG management, this action will result in the warning message shown below:
Figure 9 - Update Center license expired warning
If you click Yes, Forefront TMG will attempt to perform an update cycle for NIS signatures only.
By default, Forefront TMG provides and enables an evaluation license for Forefront TMG WPS that expires 120 days after installing Forefront TMG; not 120 days after you enable EMP or URLF. Forefront TMG provides two alerts relevant to Forefront TMG WPS licensing that also write to the Windows Application event log. Finally, changing and verifying your Forefront TMG WPS license details is as simple as a few mouse clicks.
Author
Jim Harrison, Program Manager, Forefront TMG
Jim Harrison, Program Manager, Forefront TMG
Reviewers
Adwait Joshi, Senior Product Manager, Identity & Security BG
Brita Jenquin, Senior Product Manager, Identity & Security BG
Adwait Joshi, Senior Product Manager, Identity & Security BG
Brita Jenquin, Senior Product Manager, Identity & Security BG