How to Install and Setup Microsoft Forefront Threat Management Gateway 2010

This is an initial guide to installing Microsoft TMG 2010. This software is the newest version of what was known as ISA server 2004/2006.

Prerequisites: You must be running at least Server 2008 Service Pack 2 before using this program.

This setup takes place on a virtual machine running Server 2008 x64 SP2. And uses the x64 version of TMG 2010. This is a fresh install process, and not an upgrade scenario.

Download and use the executable to extract the installer program.

This will bring you to the initial startup screen for the installation once it completes.

Click “Run Preperation Tool” under the Prepare and Install section.

Choose your installation type.

This guide will be using Forefront TMG services and Management.

You will most likely need to reboot after this part of the installation completes.
Once rebooted, launch the autorun file in the extracted folder again. Now you can begin the actual installation.

Next you need to define what address range you want TMG to manage.

First, click the add button. Then click Add Adapter.

Select the network adapters you want TMG to be able to use.

Key in the ip range for your subnet that you want affected by TMG.

Then just follow the prompts and click install to begin the installation. This step will take longer depending on your system specs.

Once the install completes, and Forefront TMG is launched, it will bring up a getting started wizard.

Click “Configure Network Settings”.

Follow the wizard to select your network layout type.

After this wizard finishes, go to the step by clicking “Configure System Settings”.

Follow the wizard to enter in your domain name and how you want the server to be identified.

Now you’re on the last step. Click “Define Deployment Options”. This will let you activate your license type and define how you want TMG to get updates.

Choose how you want to handle signature updates.

When finished, check the box to run the web policy access wizard.

Use this wizard to create a default rule that blocks potentially unwanted URLs.

Decide what you want to use for malware inspection of HTTP content. Keep in mind that if you choose to block encrypted archives, it may affect how users are able to download .zip or .rar files.

Choose how you want TMG to scan HTTPS traffic.

Set your cache configuration.

After this is done the wizard will close. You will need to apply these changes for them to take effect. To do this, click “Apply” at the top of the screen.

You will want to Save the changes and restart the service.

Enter a description for the change you’re making. Note that you can also click the “Export” button. This will backup your entire configuration before applying your new changes. This way you can revert back to the current state if your new changes break anything. Since this is the initial configuration, there is only a blank slate to revert back to. However, when making subsequent changes, you should always backup your configuration before applying your new settings.

TMG 2010 gives you a nice new dashboard to view stats about what’s going on with your network. The column on the left is similar to ISA 2004/2006, but it has a few new options. You now have separate sections for Firewall Policy, and Web Access Policy. Web Access Policy is where you will want to make browser proxy changes. There you can also change what port the web proxy is running on and make sure your client computers are configured accordingly.

You are now able to start adding rules for your access policies and applying them in the same way that you applied the initial configuration.

Additional information about configuration or features can be found by visiting the TMG 2010 website.

Leave a Reply