You may wonder what is Forefront TMG (Threat Management Gateway) 2010, and what can I do with it ? Well…is a proxy server, is a firewall, is a web content filtering, is a VPN Server, is… enoch. To be short, is a network security and protection solution from Microsoft. I’ve been using this great product for many, many years, and I’ll tell you, once you get to know TMG you will love it too. You can use it as a firewall to protect your company, campus, school etc; you can use it as a proxy server to filter websites or the content of those websites. Before you can do all this stuff with it, first you need to install the product, and in this step by step guide I’ll show you how to install Forefront TMG 2010 in firewall mode.
For this exercise you need to have on the host system two network cards, one called LAN and the other one WAN. I renamed the network adapters to distinguish better witch one is connected to internet and witch one is connected to the internal network.
First let’s start configuring the network cards, so open Network Connections from Control Panel, right click your LAN connection (the one that is connected to your internal network) and choose Properties. Click Internet Protocol Version 4 (TCP/IPv4) and Properties. Select Use the following IP address and complete the boxes with your own settings. Leave gateway field empty because packets will be routed thru the external network card. In the Preferred DNS Server put the IP of your internal DNS server, if you have one, if not put an IP address of an external DNS server (OpenDNS or Google). Click OK and Close.
Next we need to configure the external network card (the one that is connected to the internet). Right Click and choose Properties. Again select the IPv4 protocol and click Properties. Now you need to know if the ISP assigned to you a static IP address or a dynamic one. If you have a static IP address choose the option Use the following IP address, but if you have a dynamic IP leave the defaults.
When you are done with the IP settings click the Advanced button, go to the DNS tab and uncheck Register this connection’s address in DNS. Now select the WINS tab, and here click the Disable NetBIOS over TCP/IP and uncheck the Enable LMHOSTS lookup. When you’re done click OK, and OK again.
Back to the adapter properties, uncheck the Client for Microsoft Networks and File and Printer Sharing for Microsoft Networks. Click Close.
Before we start the installation we need to prepare the environment. On the TMG screen click the Run Preparation Tool, and just follow the wizard.
When you get to the Installation Type screen leave the defaults, witch is to prepare the environment for the TMG services and the management console. Click Next.
After the environment preparation is done, click the Finish button to start the TMG 2010 installation.
Skip the welcome screen by clicking Next. To be able to continue with the installation you need to accept the EULA, so choose I accept the terms in the license agreement, then click Next.
Fill in the customer information and serial number and click Next.
Leave the default installation path and click Next.
Here we need to tell TMG witch network adapter installed in the system is our internal one. Click the Add button, then Add Adapter. In the Select Network Adapters window select the LAN adapter. Click OK two times, then Next.
This screen is telling us that some services will restart or will be disabled during installation. Click Next to continue.
To start the installation all you have to do is click Install.
You can go start a campaign of StarCraft (if you know the game) ’till is done, because it will take a while. When the installation is finished and you open the TMG 2010 console for the first time a Configuration Wizard pops-up.
Let’s start with the first one Configure Network Settings. Click Next on the Welcome screen. Since we have two network cards in our machine TMG 2010 already knows that we deploy an Edge Firewall. Leave the defaults and click Next.
From the drop down list select the network adapter witch belongs to the internal network. In our case is LAN. Click Next.
In this screen TMG 2010 already selects the available network adapter as an external one.
If your WAN adapter is configured for dynamic IP addresses, the wizard will inform you that is going to enable a security rule for the DHCP traffic. Just click OK and continue the wizard.
On the Summary screen click the Finish button. We reached the second step of the TMG 2010 Configuration Wizard. Click the linkConfigure System Settings. After the welcome screen we tell TGM if is part of a domain or workgroup. Since I never mentioned anything about TMG being part of a domain, leave the defaults and finish the wizard.
Launch the last step by clicking the link Define Deployment Options. When you reach the Microsoft Update Setup screen choose either to download updates from Microsoft or not. I recommend you select the first option Use the Microsoft Update service to check for updates, so your TMG 2010 server will be up to date with the latest security and vulnerability patches.
Here choose if you wan NIS to be enabled and your outgoing web traffic should be scanned for malicious code.
If you enabled NIS a screen appears to configure the interval when checking for updates and install them.
On the Customer Feedback screen select not to participate, and on the Telementery Reporting Service screen choose either you want to send information to Microsoft about malware or not. Finish the wizard and click the Close button. Now you have a fresh new installation of TMG 2010.