deploying microsoft forefront threat management gateway 2010ptgmedia.pearsoncmg.com › images ›...
TRANSCRIPT
![Page 1: Deploying Microsoft Forefront Threat Management Gateway 2010ptgmedia.pearsoncmg.com › images › 9780735649767 › ... · ment scenarios for Forefront TMG, and we take a deep dive](https://reader031.vdocuments.mx/reader031/viewer/2022041112/5f1841f78c2b7a733405e695/html5/thumbnails/1.jpg)
Contents
Acknowledgments v
Introduction vii
CHAPTER1
UnderstandingForefrontThreatManagementGateway2010 1
AHistoryofPerimeterProtection 1
ForefrontTMGasaPerimeterNetworkDevice 3
NetworkFirewall 3
ForwardandReverseProxy,WebProxy,andWinsockProxyServer 4
WebCachingServer 5
RemoteAccessVPNServer 5
Site-to-SiteVPNGateway 7
SecureEmailGateway 8
ForefrontTMGasaSecureWebGateway 8
NetworkInspectionSystem 10
MalwareInspection 11
HTTPSInspection 13
URLFiltering 15
ForefrontTMGRolewithintheForefrontProtectionSuite 16
ForefrontUnifiedAccessGateway2010 17
ForefrontIdentityManager 18
ForefrontProtectionforExchangeServer 19
ForefrontOnlineProtectionforExchange 19
ForefrontProtection2010forSharePoint 20
AdministratorsPunchList 20
CHAPTER2
InstallingandConfiguringForefrontThreatManagementGateway2010 23
PreparingtoInstallForefrontTMG 23
ChoosingDeploymentOptionsforForefrontTMG 24
MeetingHardwareandSoftwareRequirementsforForefrontTMG 25
SelectingtheForefrontTMGEdition 29
InstallingForefrontTMG 31
ReviewingCompanyRequirements 31
CompletingtheInstallationPhases 32
InstallingForefrontTMG 32
Post-InstallationConfiguration 42
Administrator’sPunchList 55
CHAPTER3
DeployingForefrontTMG2010ServicePack1 57
NewFeaturesinServicePack1 57
PlanningServicePack1Deployment 58
InstallingForefrontTMG2010ServicePack1 59
ConfiguringUserOverrideforURLFiltering 62
ReportingEnhancements 65
BranchOfficeSupport 66
What’sNext? 72
Administrator’sPunchList 73
AbouttheAuthors 75
![Page 2: Deploying Microsoft Forefront Threat Management Gateway 2010ptgmedia.pearsoncmg.com › images › 9780735649767 › ... · ment scenarios for Forefront TMG, and we take a deep dive](https://reader031.vdocuments.mx/reader031/viewer/2022041112/5f1841f78c2b7a733405e695/html5/thumbnails/2.jpg)
PUBLISHEDBYMicrosoftPressADivisionofMicrosoftCorporationOneMicrosoftWayRedmond,Washington98052-6399
Copyright©2010byYuriDiogenesandDr.ThomasW.Shinder
Allrightsreserved.Nopartofthecontentsofthisbookmaybereproducedortransmittedinanyformorbyanymeanswithoutthewrittenpermissionofthepublisher.
LibraryofCongressControlNumber:2010936127
PrintedandboundintheUnitedStatesofAmerica.
MicrosoftPressbooksareavailablethroughbooksellersanddistributorsworldwide.Forfurtherinformationaboutinternationaleditions,contactyourlocalMicrosoftCorporationofficeorcontactMicrosoftPressInternationaldirectlyatfax(425)936-7329.VisitourWebsiteatwww.microsoft.com/[email protected].
Microsoftandthetrademarkslistedathttp://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspxaretrademarksoftheMicrosoftgroupofcompanies.Allothermarksarepropertyoftheirrespectiveowners.
Theexamplecompanies,organizations,products,domainnames,e-mailaddresses,logos,people,places,andeventsdepictedhereinarefictitious.Noassociationwithanyrealcompany,organization,product,domainname,e-mailaddress,logo,person,place,oreventisintendedorshouldbeinferred.
Thisbookexpressestheauthor’sviewsandopinions.Theinformationcontainedinthisbookisprovidedwithoutanyexpress,statutory,orimpliedwarranties.Neithertheauthors,MicrosoftCorporation,noritsresellers,ordistributorswillbeheldliableforanydamagescausedorallegedtobecausedeitherdirectlyorindirectlybythisbook.
Acquisitions Editor:Devon MusgraveDevelopmental Editor: Karen SzallProject Editor: Karen SzallEditorial Production: nSight, Inc.Technical Reviewer: Mitch Tulloch; Technical Review services provided by Content Master, a member of CM Group, Ltd.Cover: Tom Draper Design
BodyPartNo.X17-15053
![Page 3: Deploying Microsoft Forefront Threat Management Gateway 2010ptgmedia.pearsoncmg.com › images › 9780735649767 › ... · ment scenarios for Forefront TMG, and we take a deep dive](https://reader031.vdocuments.mx/reader031/viewer/2022041112/5f1841f78c2b7a733405e695/html5/thumbnails/3.jpg)
iii
Microsoft is interested in hearing your feedback so we can continually improve our books and learning resources for you. To participate in a brief online survey, please visit:
www.microsoft.com/learning/booksurvey/
What do you think of this book? We want to hear from you!
Contents
Introduction vii
Chapter 1 Understanding Forefront Threat Management Gateway 2010 1AHistoryofPerimeterProtection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
ForefrontTMGasaPerimeterNetworkDevice........................ 3
NetworkFirewall 3
ForwardandReverseProxy,WebProxy,andWinsockProxyServer 4
WebCachingServer 5
RemoteAccessVPNServer 5
Site-to-SiteVPNGateway 7
SecureEmailGateway 8
ForefrontTMGasaSecureWebGateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
NetworkInspectionSystem 10
MalwareInspection 11
HTTPSInspection 13
URLFiltering 15
ForefrontTMGRolewithintheForefrontProtectionSuite. . . . . . . . . . . . . 16
ForefrontUnifiedAccessGateway2010 17
ForefrontIdentityManager 18
ForefrontProtectionforExchangeServer 19
ForefrontOnlineProtectionforExchange 19
ForefrontProtection2010forSharePoint 20
AdministratorsPunchList. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
![Page 4: Deploying Microsoft Forefront Threat Management Gateway 2010ptgmedia.pearsoncmg.com › images › 9780735649767 › ... · ment scenarios for Forefront TMG, and we take a deep dive](https://reader031.vdocuments.mx/reader031/viewer/2022041112/5f1841f78c2b7a733405e695/html5/thumbnails/4.jpg)
iv Contents
Chapter 2 Installing and Configuring Forefront Threat Management Gateway 2010 23PreparingtoInstallForefrontTMG. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
ChoosingDeploymentOptionsforForefrontTMG 24
MeetingHardwareandSoftwareRequirementsforForefrontTMG 25
SelectingtheForefrontTMGEdition 29
InstallingForefrontTMG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
ReviewingCompanyRequirements 31
CompletingtheInstallationPhases 32
InstallingForefrontTMG 32
Post-InstallationConfiguration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Administrator’sPunchList. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Chapter 3 Deploying Forefront TMG 2010 Service Pack 1 57NewFeaturesinServicePack1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
PlanningServicePack1Deployment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
InstallingForefrontTMG2010ServicePack1. . . . . . . . . . . . . . . . . . . . . . . . 59
ConfiguringUserOverrideforURLFiltering. . . . . . . . . . . . . . . . . . . . . . . . .62
ReportingEnhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
BranchOfficeSupport. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66
What’sNext?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72
Administrator’sPunchList. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Microsoft is interested in hearing your feedback so we can continually improve our books and learning resources for you. To participate in a brief online survey, please visit:
www.microsoft.com/learning/booksurvey/
What do you think of this book? We want to hear from you!
![Page 5: Deploying Microsoft Forefront Threat Management Gateway 2010ptgmedia.pearsoncmg.com › images › 9780735649767 › ... · ment scenarios for Forefront TMG, and we take a deep dive](https://reader031.vdocuments.mx/reader031/viewer/2022041112/5f1841f78c2b7a733405e695/html5/thumbnails/5.jpg)
v
Acknowledgments
ThisForefrontprojecttookalmostayeartowriteandresultedinthreeseparatebooksaboutdeployingForefrontproducts.Althoughtheauthorsgetlotsof
credit,therecanbelittledoubtthatwecouldnothaveevenbegun,muchlesscompleted,thisbookwithoutthecooperation(nottomentionthepermission)ofanincrediblylargenumberofpeople.
It’sherethatwe’dliketotakeafewmomentsofyourtimetoexpressourgrati-tudetothefolkswhomadeitallpossible.
With thanks…TothefolksatMicrosoftPresswhomadetheprocessassmoothastheypossiblycould:KarenSzall,DevonMusgrave,andtheircrew.
TotheTMGProductTeamfolks,especiallytoOriYosefiandDavidStrausberg,forhelpingusbyreviewingtheServicePack1chapter.ToallourfriendsfromCSSSecurity,especiallytoBalaNatarajanforreviewingcontent.
From YuriFirstandforemosttoGod,forblessingmylife,leadingmyway,andgivingmethestrengthtotakeonthechallengesasjustanotherstepinlife.Tomyeternalsupporterinallmomentsofmylife:mywifeAlexsandra.Tomydaughterswho,althoughveryyoung,understandwhenIclosetheofficedoorandsay,“I’mreallybusy.”Thanksforunderstanding.Iloveyou,YanneandYsis.
TomyfriendThomasShinder,whomIwasfortunateenoughtomeetthreeyearsago.Thanksforshapingmywritingskillsandalsocontributingtomypersonalgrownwithyourthoughts,advice,andguidance.Withoutadoubt,theselongmonthsworkingonthisprojectwereworthitbecauseofouramazingpartnership.Ican’tforgettothankthetwootherfriendswhowrotetheMicrosoft Forefront Threat Management Gateway Administrator’s Companionwithme:JimHarrisonandMohitSaxena.Theywere,withoutadoubt,thepillarsforthiswritingcareerinwhichI’mnowfullyengaged.Thanks,guys.To,asJimsays,“daBoyz”:Tim“Thor”Mullen,SteveMoffat,andGregMulholland.Youguysareamazing.Thanksforsharingallthetales.
TomyfriendThomasDetznerandallISA/TMGEMEAengineers(includingthegreatfolksfromPFE),thanksforsharingyourknowledgeandallthepartnershipsthatwehavehadovertheseyears.Iwouldalsoliketosaythankstoallmyfriends
![Page 6: Deploying Microsoft Forefront Threat Management Gateway 2010ptgmedia.pearsoncmg.com › images › 9780735649767 › ... · ment scenarios for Forefront TMG, and we take a deep dive](https://reader031.vdocuments.mx/reader031/viewer/2022041112/5f1841f78c2b7a733405e695/html5/thumbnails/6.jpg)
vi
fromMicrosoftCSSSecurity(inTexas,NorthCarolina,andWashington)forshar-ingexperienceseveryday,withaspecialthankstoallthegreatengineersfromCSSIndia—youguysarethepillarsofthisteam.Thanksforpushingmewithtoughquestionsandconcerns.Toallthereadersofmyarticlesandblogs,thanksforallthefeedbackthatyouguyssharewithme.IfIkeepwritinginmysparetime,itisbecauseIknowyouarereadingit.ToalltheForefrontMVPs,keepuptheamazingjobthatyouguysdo.Last,butnotleast,tomybuddiesMohitKumar,AlexandreHollanda,DanielMauser,andAlejandroLeal,foryourconsistentsup-portthroughouttheyears.
From TomAsYuridoes,IacknowledgetheblessingsfromGod,whotook“afoollikeme”andguidedmeonapaththatIneverwouldhavechosenonmyown.ThesecondmostimportantacknowledgementImustmakeistomybeautifulwife,DebShin-der,whomIconsidermyhandofGod.Withouther,Idon’tknowwhereIwouldbetoday,exceptthatIknowthattheplacewouldn’tbeanywherenearasgoodastheplaceIamnow.
IalsowanttoacknowledgemygoodfriendYuriDiogenes,myco-writeronthisproject.Yurireallyheldthisprojecttogether.IhadjuststartedworkingforMicrosoftandwaslearningabouttheinsandoutsoftheMicrosoftsystem,andIwasalsotakingonalotofdetailedandcomplexprojectsalongsidethewritingofthisbook.Yurihelpedkeepmefocused,spentalotoftimepointingmeintherightdirection,andessentiallyisresponsibleforenablingmetogetdonewhatIneededtogetdone.Ihavenodoubtthat,withoutYuriguidingthiseffort,itprob-ablyneverwouldhavebeencompleted.
PropsgoouttoJimHarrison,“theKingofTMG,”aswellastoGregMulholland,SteveMoffat,andTimMullen.Youguyswerethemoralauthoritythatdroveustocompletion.Ialsowanttogiveaspecial“shoutout”toMohitSaxena.HisTMGchopsandsenseofhumoralsohelpedusoverthefinishline.
Finally,IwanttothanktheoperatorsofISAserver.organdallthemembersoftheISAserver.orgcommunity.YouguyswerethesparkthatstartedaflaminghotcareerformewithISAServerandthenTMG.Youguysareanever-endinginspira-tionandademonstrationofthepowerofcommunityandwayscommunitiescanworktogethertosolvehardproblemsandsharesolutions.
![Page 7: Deploying Microsoft Forefront Threat Management Gateway 2010ptgmedia.pearsoncmg.com › images › 9780735649767 › ... · ment scenarios for Forefront TMG, and we take a deep dive](https://reader031.vdocuments.mx/reader031/viewer/2022041112/5f1841f78c2b7a733405e695/html5/thumbnails/7.jpg)
vii
IntroductionWhenwebeganthisproject,ourintentwastocreatearealworldscenario
thatwouldguideITprofessionalsinusingMicrosoftbestpracticestodeployMicrosoftForefrontThreatManagementGateway(TMG)2010.Wehopeyoufindthatwehaveachievedthatgoal.We’vealsoincludedthemaindeploy-mentscenariosforForefrontTMG,andwetakeadeepdiveintotheinstallationprocessfromtheRTMversiontotheServicePack1version.
Thisbookprovidesadministrativeprocedures,testeddesignexamples,quickanswers,andtips.Inaddition,itcoverssomeofthemostcommondeploymentscenariosanddescribeswaystotakefulladvantageoftheproduct’scapabilities.Thisbookcoverspre-deploymenttasks,useofForefrontTMGinaSecureWebGatewayScenario,softwareandhardwarerequirements,andinstallationandconfiguration,usingbestpracticerecommendations.
Who Is This Book For?Deploying Microsoft Forefront Threat Management Gateway 2010 coverstheplan-ninganddeploymentphasesforthisproduct.Thisbookisdesignedfor:
■ AdministratorswhoaredeployingForefrontTMG
■ AdministratorswhoareexperiencedwithWindowsServer2008ingeneralandwithWindowsnetworkinginparticular
■ CurrentISAServeradministrators
■ AdministratorswhoarenewtoForefrontTMG
■ Technologyspecialists,suchassecurityadministratorsandnetworkadministrators
Becausethisbookislimitedinsizeandwewanttoprovideyouthemaximumvalue,weassumeabasicknowledgeofWindowsServer2008andWindowsnetworking.Thesetechnologiesarenotdiscussedindetail,butthisbookcontainsmaterialonbothofthesetopicsthatrelatestoForefrontTMGadministrativetasks.
How Is This Book Organized?Deploying Microsoft Forefront Threat Management Gateway 2010 iswrittentobeadeploymentguideandalsotobeasourceofarchitecturalinformationrelatedtotheproduct.Thebookisorganizedinsuchawaythatyoucanfollowthesteps
![Page 8: Deploying Microsoft Forefront Threat Management Gateway 2010ptgmedia.pearsoncmg.com › images › 9780735649767 › ... · ment scenarios for Forefront TMG, and we take a deep dive](https://reader031.vdocuments.mx/reader031/viewer/2022041112/5f1841f78c2b7a733405e695/html5/thumbnails/8.jpg)
viii
toplananddeploytheproduct.ThestepsarebasedonadeploymentscenarioforthecompanyContoso.Asyougothroughthesteps,youwillalsonoticetipsforbestpracticesimplementation.Attheendofeachchapter,youwillseean“Administrator’sPunchList,”inwhichyouwillfindasummaryofthemainadmin-istrativetasksthatwerecoveredthroughoutthechapter.Thisisaquickchecklisttohelpyoureviewthemaindeploymenttasks.
Thebookisorganizedintothreechapters:Chapter1,“UnderstandingForefrontThreatManagementGateway2010,”introducesyoutothecorecon-ceptsoffirewalls,perimeterprotection,andproxiesandguidesyouthroughtheuseofForefrontTMGasasecurewebgateway.Chapter2,“InstallingandConfiguringForefrontThreatManagementGateway2010,”guidesyouthroughtheproduct’sinstallationandconfiguration.Chapter3,“DeployingForefront2010ServicePack1,”coversthenewfeaturesofServicePack1anddescribeshowtoinstallandconfigurethosefeatures.
WereallyhopeyoufindDeploying Microsoft Threat Management Gateway 2010 usefulandaccurate.Wehaveanopendoorpolicyforemailat [email protected],andyoucancontactusthroughourpersonalblogsandTwitteraccounts:
■ http://blogs.technet.com/yuridiogenesandhttp://blogs.technet.com/tomshinder
■ http://twitter.com/yuridiogenesandhttp://twitter.com/tshinder
Support for This BookEveryefforthasbeenmadetoensuretheaccuracyofthisbook.Ascorrectionsorchangesarecollected,theywillbeaddedtotheO’ReillyMediawebsite.TofindMicrosoftPressbookandmediacorrections:
1. Gotohttp://microsoftpress.oreilly.com.
2. IntheSearchbox,typetheISBNforthebookandclick Search.
3. Selectthebookfromthesearchresults,whichwilltakeyoutothebook’scatalogpage.
4. Onthebook’scatalogpage,underthepictureofthebookcover,clickView/SubmitErrata.
Ifyouhavequestionsregardingthebookorthecompanioncontentthatarenotansweredbyvisitingthebook’scatalogpage,pleasesendthemtoMicrosoftPressbysendinganemailmessagetomspinput@microsoft.com.
![Page 9: Deploying Microsoft Forefront Threat Management Gateway 2010ptgmedia.pearsoncmg.com › images › 9780735649767 › ... · ment scenarios for Forefront TMG, and we take a deep dive](https://reader031.vdocuments.mx/reader031/viewer/2022041112/5f1841f78c2b7a733405e695/html5/thumbnails/9.jpg)
ix
We Want to Hear from YouWewelcomeyourfeedbackaboutthisbook.Pleaseshareyourcommentsandideasthroughthefollowingshortsurvey:
http://www.microsoft.com/learning/booksurvey
YourparticipationhelpsMicrosoftPresscreatebooksthatbettermeetyourneedsandyourstandards.
NOTE We hope that you will give us detailed feedback in our survey. If you have questions about our publishing program, upcoming titles, or Microsoft Press in general, we encourage you to interact with us using Twitter at http://twitter.com/MicrosoftPress. For support issues, use only the email address shown earlier.
![Page 10: Deploying Microsoft Forefront Threat Management Gateway 2010ptgmedia.pearsoncmg.com › images › 9780735649767 › ... · ment scenarios for Forefront TMG, and we take a deep dive](https://reader031.vdocuments.mx/reader031/viewer/2022041112/5f1841f78c2b7a733405e695/html5/thumbnails/10.jpg)
![Page 11: Deploying Microsoft Forefront Threat Management Gateway 2010ptgmedia.pearsoncmg.com › images › 9780735649767 › ... · ment scenarios for Forefront TMG, and we take a deep dive](https://reader031.vdocuments.mx/reader031/viewer/2022041112/5f1841f78c2b7a733405e695/html5/thumbnails/11.jpg)
![Page 12: Deploying Microsoft Forefront Threat Management Gateway 2010ptgmedia.pearsoncmg.com › images › 9780735649767 › ... · ment scenarios for Forefront TMG, and we take a deep dive](https://reader031.vdocuments.mx/reader031/viewer/2022041112/5f1841f78c2b7a733405e695/html5/thumbnails/12.jpg)
57
C H A P T E R 3
Deploying Forefront TMG 2010 Service Pack 1■ NewFeaturesinServicePack1 57
■ PlanningServicePack1Deployment 58
■ InstallingForefrontTMG2010ServicePack1 59
■ ConfiguringUserOverrideforURLFiltering 62
■ ReportingEnhancements 65
■ BranchOfficeSupport 66
■ What’sNext? 72
Inthesummerof2010,Microsoftreleasedamajorproductupdate:ForefrontTMG2010ServicePack1(SP1)forMicrosoftForefrontThreatManagementGateway(TMG)2010.ThisservicepackisintendedtonotonlyfixsomeissuesthatweredetectedafterForefrontTMGwasreleased,butalsoaddnewcapabilitiestotheproduct.Thischapterdescribesthenewfeatures,thewaytoinstallForefrontTMG2010SP1,thewaytodeploythecorefeaturesavailableinthisservicepack,andwhat’scomingnext.
New Features in Service Pack 1
ForefrontTMG2010SP1providesimprovementstoForefrontTMGinfourcoreareas:
■ Reporting ForefrontTMG2010SP1changesthelookandfeelofForefrontTMGreportsandaddsanewuseractivityreportthatcanshowmoredetailedinformationaboutthepagesauserbrowsedandtheURLcategoriesthatwererequestedbytheuser.
■ Secure Web Access OneofthemainusesforForefrontTMGisasaSecureWebGateway(SWG).OneofTMG’scorefeatures,calledURLFiltering,isakeycomponentofSWG.ForefrontTMG2010SP1bringsanewcapability,calledURL Filtering User Override,tothisfeature.URLFilteringUserOverrideallowsuserstooverridetheaccessrestrictionsputinplacebytheURLFilteringfeatureimple-mentedbytheTMGadministrator.
![Page 13: Deploying Microsoft Forefront Threat Management Gateway 2010ptgmedia.pearsoncmg.com › images › 9780735649767 › ... · ment scenarios for Forefront TMG, and we take a deep dive](https://reader031.vdocuments.mx/reader031/viewer/2022041112/5f1841f78c2b7a733405e695/html5/thumbnails/13.jpg)
58 CHAPTER3 DeployingForefrontTMG2010ServicePack1
■ Branch Office Support ForefrontTMG2010SP1takesadvantageoftheBranchCachefeaturethatisavailableinWindowsServer2008R2.Thisfeatureprovidesbranchofficeuserswithanimprovedbrowsingexperiencewhilereducingbandwidthutilizationbetweenthebranchandmainoffices.
■ Publishing AnewpublishingwizardsupportsSharePoint2010deploymentsthroughForefrontTMG.
Thesefeatureswillbecoveredindetailinthischapter.However,beforewediscussnewfeatures,itisimportanttogetmoredetailsonForefrontTMG2010SP1deployment.
Planning Service Pack 1 Deployment
BeforeinstallingForefrontTMG2010SP1onForefrontTMG,itisnecessarytoplanthedeploymenttoensurethatitgoessmoothly.TheinstallationsequenceandprerequisiteswillvaryaccordingtoyourTMGsetup.TheoverallinstallationprocessisshowninFigure3-1:
FIGURE 3-1
InordertocarryouttheForefrontTMG2010SP1installationprocedurescorrectly,youwillneedtoanswerthefollowingquestions:
■ WhichForefrontTMGversion(EnterpriseorStandard)areyouusing?
■ AretheForefrontTMGfirewallsdeployedasarraymembersorasstand-aloneservers?
■ WhatForefrontTMGrole(EMSorFirewall)isthemachineproviding?
![Page 14: Deploying Microsoft Forefront Threat Management Gateway 2010ptgmedia.pearsoncmg.com › images › 9780735649767 › ... · ment scenarios for Forefront TMG, and we take a deep dive](https://reader031.vdocuments.mx/reader031/viewer/2022041112/5f1841f78c2b7a733405e695/html5/thumbnails/14.jpg)
InstallingForefrontTMG2010ServicePack1 CHAPTER3 59
Whenyouhavethisinformation,youcandeterminetheinstallationsequencefromTable3-1.
NOTE Before you apply Forefront TMG 2010 SP1, create a full backup of your current Forefront TMG configuration. You should also have the latest Windows updates installed on the computer on which TMG is installed.
TABLE 3-1 InstallationbasedontheForefrontTMGsetup
TMG SETUP INSTALLATION ORDER GENERAL NOTES
SingleServer 1. Singleserverinstallationpoint
RegardlessoftheForefrontTMGsetup,alwaysrunthesetupwithanelevatedadministrativelevel.
Array 1. EnterpriseManagementServers(masterandreplicas)
2. Arraymanagers
3. Arraymembers
BeforeyouinstallForefrontTMG2010SP1onForefrontTMGEnterpriseEdition,youmustlogontoEMSusingthecredentialsthatwereusedtoinstallEMSduringtheinitialsetupprocess.Ifyoutrytoinstalltheupdateusingadifferentadministratoraccount,theinstallationmightfail.
Installing Forefront TMG 2010 Service Pack 1
AssumingthatyoudownloadedForefrontTMG2010SP1inEnglish—fromtheMicrosoftDownloadCenter(http://www.microsoft.com/downloads/details.aspx?FamilyID=f0fd5770-7360-4916-a5be-a88a0fd76c7c&displaylang=en) toatemporaryfolder,suchasC:\temp—starttheinstallationbyfollowingthesesteps:
1. ClickStart,right-clickCommandPrompt,andchoosetheRunAsAdministratoroption.
2. Typecd c:\temptoswitchtothetemporaryfolder.
3. TypeTMG-KB981324-AMD64-ENU.msp,andpressEnter.
4. OntheOpenFile–SecurityWarningpage,clickOpen.
5. WhentheWelcomeToTheUpdateForMicrosoftForefrontTMGServicePack1pageappears,asshowninFigure3-2,clickNexttocontinue.
![Page 15: Deploying Microsoft Forefront Threat Management Gateway 2010ptgmedia.pearsoncmg.com › images › 9780735649767 › ... · ment scenarios for Forefront TMG, and we take a deep dive](https://reader031.vdocuments.mx/reader031/viewer/2022041112/5f1841f78c2b7a733405e695/html5/thumbnails/15.jpg)
60 CHAPTER3 DeployingForefrontTMG2010ServicePack1
FIGURE 3-2
6. WhentheLicenseAgreementpageappears,readthelicenseagreementandselecttheIAcceptTheTermsInTheLicenseAgreementcheckbox,andthenclickNexttoproceed.
7. TheLocateConfigurationStorageServerpageappears.BecausethisisthefirstForefrontTMGtowhichweareapplyingForefrontTMG2010SP1,theoptiontospec-ifytheconfigurationstorageserverisunavailable(grayedout),asshowninFigure3-3.WhenyouareapplyingForefrontTMG2010SP1onarraymembers,thisoptionwillbeavailablesothatyoucanspecifytheconfigurationstorageserver.ClickNexttocontinue.
FIGURE 3-3
![Page 16: Deploying Microsoft Forefront Threat Management Gateway 2010ptgmedia.pearsoncmg.com › images › 9780735649767 › ... · ment scenarios for Forefront TMG, and we take a deep dive](https://reader031.vdocuments.mx/reader031/viewer/2022041112/5f1841f78c2b7a733405e695/html5/thumbnails/16.jpg)
InstallingForefrontTMG2010ServicePack1 CHAPTER3 61
8. WhentheReadyToInstallTheProgrampageappears,clickInstall.
9. Aftertheinstallationisfinished,theInstallationWizardCompletedpageappears,asshowninFigure3-4.ClickFinishtoconcludetheinstallation.
FIGURE 3-4
10. ToconfirmthattheForefrontTMG2010SP1installationisinplace,youcanopentheForefrontTMGManagementconsole,clickSystem,andverifytheForefrontTMGver-sion,whichshouldbe7.0.8108.200,asshowninFigure3-5.
FIGURE 3-5
Administrator's Insight: Troubleshooting an Installation
There are several issues that you might encounter when installing Forefront TMG 2010 SP1, some of which are documented in the Forefront TMG 2010 SP1
release notes at (http://technet.microsoft.com/en-us/library/ff717843.aspx#troubleshooting). There may be other problems with the installation that will require troubleshooting. The general rule of thumb is to start troubleshooting the installation by reviewing the error messages presented in the UI, and then go to the Forefront TMG setup logs to track the root causes of the issues. The Forefront TMG Setup Installation logs are located at %windir%\temp, and the ADAM Setup log files are located at %windir%\debug.
![Page 17: Deploying Microsoft Forefront Threat Management Gateway 2010ptgmedia.pearsoncmg.com › images › 9780735649767 › ... · ment scenarios for Forefront TMG, and we take a deep dive](https://reader031.vdocuments.mx/reader031/viewer/2022041112/5f1841f78c2b7a733405e695/html5/thumbnails/17.jpg)
62 CHAPTER3 DeployingForefrontTMG2010ServicePack1
There are two articles on the TMG Team Blog and one on my blog that describe a general approach to troubleshooting installation issues:
■ "Troubleshooting ERROR: Setup failed to install ADAM.\r\n (0x80074e46) and 0x80070643 while trying to install TMG 2010" can be found at http://blogs.technet.com/b/isablog/archive/2010/07/07/troubleshooting-error-setup-failed-to-install-adam-r-n-0x80074e46-and-0x80070643-while-trying-to-install-tmg-2010.aspx.
■ “Another TMG 2010 Installation failure with error 0x80070643” can be found at http://blogs.technet.com/b/isablog/archive/2010/07/13/another-tmg-2010-installation-failure-with-error-0x80070643.aspx.
■ “Unable to install Forefront TMG 2010 – Error 0x80074e46” can be found at http://blogs.technet.com/b/yuridiogenes/archive/2010/08/16/unable-to-install-forefront-tmg-2010-error-0x80074e46.aspx.
Although these articles are not specifically related to Forefront TMG 2010 SP1, they can be used as troubleshooting methodology for your installation process on Forefront TMG.
Configuring User Override for URL Filtering
Inaworldinwhichcomplianceandsecuritypolicyenforcementaregrowingtrends,havingasecureWebgatewaythatreflectsyourITbusinessrequirementsisarealadvantage.OneofthepillarsfortheForefrontTMGSecureWebGatewayscenarioisURLFiltering,whichdirectlyaffectsuserproductivitybyfilteringtraffictounwanteddestinations.AnewenhancementtotheURLFilteringfeature,introducedwithForefrontTMG2010SP1,allowsuserstooverriderestrictedWebaccessandproceedonaper-requestbasis.Thiscanprovideamoreflex-ibleWebaccesspolicybyallowinguserstodecidewhethertoaccessasitethatwasinitiallydeniedtothem.Thiscanhelpreducehelpdeskcalls,especiallyforWebsitesthathavebeenincorrectlycategorized.
Whilethismightsoundtooflexiblewhenthesubjectispolicyenforcement,thefactofthematteristhattheuserwillreceiveawarningthataWebsitebeingenteredisprohibitedandthatenteringtheWebsitewillbelogged.ThiscanhelptorevealuserInternetusagebehaviorwhenaccessingprohibitedWebsites.ThisfeatureusesthelogicillustratedinFigure3-6.
![Page 18: Deploying Microsoft Forefront Threat Management Gateway 2010ptgmedia.pearsoncmg.com › images › 9780735649767 › ... · ment scenarios for Forefront TMG, and we take a deep dive](https://reader031.vdocuments.mx/reader031/viewer/2022041112/5f1841f78c2b7a733405e695/html5/thumbnails/18.jpg)
ConfiguringUserOverrideforURLFiltering CHAPTER3 63
FIGURE 3-6
WhenForefrontTMGsendstheDenypage,asillustratedbyStep4,iftheuserclicksOverrideAccessRestriction,ForefrontTMGwillallocatetotheuser'sbrowseracookiethatwillaccompanyallsubsequentWebrequeststothisdomain,andthebrowseristriggeredtoreloadtheURL.OnceForefrontTMGreceivestheWebrequestwiththecookie,itwilleffec-tivelydisabletheblockingruleforthisparticularWebrequest.Itisimportanttounderstandthatthecookiewillremainvalidonlyforthelengthofthebrowsersessionoruntiltheconfig-uredtime-outperiodexpires.Theotherimportantnotesaboutthisfeatureare:
■ Inorderfortheuseroverridefeaturetowork,oneofthesubsequentfirewallpolicyrulesmustallowaccesstotherequesteddestination.
■ UseroverrideconfigurationrequiresthatyoucreateDenyrules;youcannotenableAllowruleswithcategoryexceptionsandthenenableauseroverride.
■ TheuseroverrideoptiononlyworksfortheHTTPprotocol.
■ UseroverrideisnotsupportedforHTTPStraffic.
■ Youcan’tcustomizethecontenttypefortheuseroverridefeature;therulemustapplytoalltypesofHTTPcontent.
Nowthatyouknowhowthecorefunctionalityofthisfeatureworks,thenextstepistoimplementitbyfollowingthesesteps:
1. OpentheForefrontTMGManagementconsole.
2. ClickWebAccessPolicy,right-clicktherulethatdeniesthetraffictoasetofdestina-tions(forthisexamplewewillusethedefaultDenyrulecreatedbytheWebAccessPolicyWizard),andchooseProperties.
3. ClicktheActiontab,andthenselecttheAllowUserOverrideoption,asshowninFigure3-7.
![Page 19: Deploying Microsoft Forefront Threat Management Gateway 2010ptgmedia.pearsoncmg.com › images › 9780735649767 › ... · ment scenarios for Forefront TMG, and we take a deep dive](https://reader031.vdocuments.mx/reader031/viewer/2022041112/5f1841f78c2b7a733405e695/html5/thumbnails/19.jpg)
64 CHAPTER3 DeployingForefrontTMG2010ServicePack1
FIGURE 3-7
NOTE You can also specify a range of time during which the user can stay on the blocked URL. This is the time that the assigned cookie will be valid for the user.
4. TocustomizetheerrormessagethattheuserwillreceivewhenattemptingtobrowseablockedURL,clickAdvanced.TheActionAdvancedPropertiesdialogboxappears,asshowninFigure3-8.
FIGURE 3-8
5. Typeyourcustommessage,asshowninFigure3-8,clickOK,clickOKagain,andclickApplytocommitthechanges.
Nowthatyou’veimplementedthisfeature,youcanperformatestusingaclientwhoistryingtobrowseaWebsitethatmatchesoneofthecategoriesspecifiedontheDenyruleon
![Page 20: Deploying Microsoft Forefront Threat Management Gateway 2010ptgmedia.pearsoncmg.com › images › 9780735649767 › ... · ment scenarios for Forefront TMG, and we take a deep dive](https://reader031.vdocuments.mx/reader031/viewer/2022041112/5f1841f78c2b7a733405e695/html5/thumbnails/20.jpg)
ReportingEnhancements CHAPTER3 65
whichtheuseroverridefeatureisenabled.Theuserwillreceiveanerrormessage,andtheOverrideAccessRestrictionbuttonwillbeavailable,asshowninFigure3-9.
FIGURE 3-9
IMPORTANT If you don’t have an Allow rule for this destination, the user won’t be able to access this Web site even by clicking Override Access Restriction.
Reporting Enhancements
OneofthemosthighlyanticipatedchangesinForefrontTMG2010SP1istheenhancementtothereportingfeature.ThenewreportdesignchangesthelookandfeelofForefrontTMGreports,andthenewformatprovidesclearerinformation.Figure3-10showsanexampleofthenewreportmainpage.
![Page 21: Deploying Microsoft Forefront Threat Management Gateway 2010ptgmedia.pearsoncmg.com › images › 9780735649767 › ... · ment scenarios for Forefront TMG, and we take a deep dive](https://reader031.vdocuments.mx/reader031/viewer/2022041112/5f1841f78c2b7a733405e695/html5/thumbnails/21.jpg)
66 CHAPTER3 DeployingForefrontTMG2010ServicePack1
FIGURE 3-10
NOTE More sample reports can be found in “Reporting Improvements in Forefront TMG SP1,” at http://blogs.technet.com/b/isablog/archive/2010/08/15/reporting-improvements-in-forefront-tmg-sp1.aspx.
TheuseractivityreportwillcontainmoregranularinformationabouttheWebsitesthattheuservisited,includingtheURLcategoryforeachsite.
NOTE While writing this book, a Reporting issue was detected after installing TMG SP1. To view the problem and the solution for this problem, review Yuri Diogenes’s answer on the following forum thread: http://social.technet.microsoft.com/Forums/en-US/ForefrontedgeMLR/thread/543b0ef3-68fa-442c-bb3d-a42177809016.
Branch Office Support
ThenewBranchOfficeintegrationfunctionalityusesanewwizardtohelpyoutakeadvan-tageoftheWindowsServer2008R2BranchCacherole.ThisoptionenablesForefrontTMGtoactasHostedCacheServerinabranchofficescenario.TheForefrontTMGUIdashboardforbranchandWebcacheutilizationcanbeusedformonitoring.Toillustratethisfeatureand
![Page 22: Deploying Microsoft Forefront Threat Management Gateway 2010ptgmedia.pearsoncmg.com › images › 9780735649767 › ... · ment scenarios for Forefront TMG, and we take a deep dive](https://reader031.vdocuments.mx/reader031/viewer/2022041112/5f1841f78c2b7a733405e695/html5/thumbnails/22.jpg)
BranchOfficeSupport CHAPTER3 67
thecapabilitytouseaRead-OnlyDomainController(RODC)onForefrontTMG,wearegoingtousethetopologyshowninFigure3-11.
FIGURE 3-11
InordertopreparetheRODCyouwillneedto:
■ VerifythatyouhavenetworkconnectivitytotheHeadquartersDomainController(HQDC)andthatyousetthebranchserver'sDNStotheHQDC.
■ IftheRODCroleisalreadyinstalledontheserverlocatedinthebranchoffice,createaslipstreamversionofForefrontTMGwithForefrontTMG2010SP1toinstallontopoftheRODC.IfyoutrytopreparetheRODCwithouttheslipstreamversion,youwillreceivetheerrormessageshowninFigure3-12.
![Page 23: Deploying Microsoft Forefront Threat Management Gateway 2010ptgmedia.pearsoncmg.com › images › 9780735649767 › ... · ment scenarios for Forefront TMG, and we take a deep dive](https://reader031.vdocuments.mx/reader031/viewer/2022041112/5f1841f78c2b7a733405e695/html5/thumbnails/23.jpg)
68 CHAPTER3 DeployingForefrontTMG2010ServicePack1
FIGURE 3-12
■ Verifythattheserverlocatedinthebranchofficeisalreadyamemberofthedomain(inthiscaseitisamemberofcontoso.com).
■ Verifythattheserverlocatedinthebranchofficeusesthedomaincontrollerathead-quartersasitsDNSserver.
■ VerifythatthecertificatethatwillbeusedbytheBranchCachefeatureisalreadyinstalledonForefrontTMGunderPersonalStore,whichisunderCertificates(LocalComputer).Rememberthatthecertificatemustbetrustedbytheclientsthatarebe-hindForefrontTMGinthebranchoffice.
Withtheseelementsinplace,thefirststepistoenabletheRODCroleontheserveronwhichForefrontTMGisinstalledtopreparetheforestforRODC.Todothat,theforestmustbeataWindowsServer2003,WindowsServer2008,orWindowsServer2008R2functionallevel.Youmustruntheadprep /rodcprepcommandonthecurrentdomaincontrollerforthedomain.
Afterpreparingtheforest,youwillrunthedcpromocommandontheserveronwhichForefrontTMGwillbeinstalled,andthenfollowthewizard.OntheAdditionalDomainControllerOptionspage,besuretoselecttheRead-OnlyDomainController(RODC)option,asshowninFigure3-13.
![Page 24: Deploying Microsoft Forefront Threat Management Gateway 2010ptgmedia.pearsoncmg.com › images › 9780735649767 › ... · ment scenarios for Forefront TMG, and we take a deep dive](https://reader031.vdocuments.mx/reader031/viewer/2022041112/5f1841f78c2b7a733405e695/html5/thumbnails/24.jpg)
BranchOfficeSupport CHAPTER3 69
FIGURE 3-13
Continuetofollowthewizardtocompletethepromotionofthisservertoaread-onlydomaincontroller.
NOTE For the complete planning and deployment guide for Active Directory RODC, review the article "Deploying RODCs in Branch Offices" at http://technet.microsoft.com/en-us/library/dd735411(WS.10).aspx.
ThenextstepistoinstallForefrontTMG2010SP1ontheserveronwhichtheRODCisinstalled:
1. Runthefollowingcommandfromanelevatedcommandprompt:
ServerManagerCmd.exe -inputpath <DVD_path>\FPC\PreRequisiteInstallerFiles
\WinRolesInstallSA_Win7.xml -logPath C:\Windows\TEMP\TMG-Prerequisites.log
2. PrepareaForefrontTMG2010SP1slipstreamDVDbyfollowingthesesteps:
• CopytheForefrontTMGDVDandtheForefrontTMG2010SP1MSPfiletoalocaldriveonthetargetcomputer.Forthepurposesofthisexample,let’sassumethisisc:\temp\TMG.Atacommandprompt,typethefollowingcommandandpressEnter.
msiexec /a c:\temp\TMG\FPC\MS_FPC_SERVER.msi /p TMG-KB981324-amd64-ENU.msp /qb
/L*v c:\tmg\log.txt
• Runtheupgradedsetupprogrambytypingc:\temp\TMG\FPC\setup.exeatacommandpromptandpressingEnter.FollowthewizardfortheForefrontTMGinstallation.FormoreinformationonForefrontTMGinstallation,reviewChapter2,“InstallingandConfiguringForefrontThreatManagementGateway2010.”
![Page 25: Deploying Microsoft Forefront Threat Management Gateway 2010ptgmedia.pearsoncmg.com › images › 9780735649767 › ... · ment scenarios for Forefront TMG, and we take a deep dive](https://reader031.vdocuments.mx/reader031/viewer/2022041112/5f1841f78c2b7a733405e695/html5/thumbnails/25.jpg)
70 CHAPTER3 DeployingForefrontTMG2010ServicePack1
NOTE During the installation process, be sure to define the internal network to in-clude the branch subnets and complete the installation.
TheForefrontTMGinstallationautomaticallyidentifiesthatitisrunningonadomaincon-trollerandenablesthesystempolicythatallowsDCtrafficfromtheinternalnetworktotheForefrontTMGserveraswellasfromtheHQDCs(iftheyareoutsidetheinternalnetwork).
Everybranchaccount(userorcomputer)thatisjoinedtothedomainneedstohaveitspasswordreplicatedtotheRODCforauthentication.Toreplicatethepassword,completethefollowingstepsontheHQDC:
1. IntheActiveDirectoryUsersandComputersconsole,selecttheDomainControllersbranch,right-clickontheRODC,andselectProperties.
2. ClickthePasswordReplicationPolicytab,andthenclickAdd.
3. SelectAllowPasswordsForTheAccountToReplicateToThisRODC,selectallrelevantlocalusersforthisbranch,andthenclickOK.
4. OntheRODC’sPropertiespage,clickAdvanced,andverifythattheuseraccountsyouaddedappearinthelistofAccountsforwhichthepasswordsarestoredonthisRead-onlyDomainController.
5. ActiveDirectorymustcompletereplicatingtheuserinformationtotheRODCbeforeyoucanlogonwiththeseaccounts.
ThenextsteptoconfigurethebranchofficeForefrontTMGistoenableBranchCachesup-port.Toperformthisoperation:
1. OpentheForefrontTMGManagementconsole.
2. ClickFirewallPolicy,andontheTaskPane,clickConfigureBranchCache.
3. IntheBranchCachewindow,selectEnableBranchCache(HostedCacheMode),asshowninFigure3-14.
![Page 26: Deploying Microsoft Forefront Threat Management Gateway 2010ptgmedia.pearsoncmg.com › images › 9780735649767 › ... · ment scenarios for Forefront TMG, and we take a deep dive](https://reader031.vdocuments.mx/reader031/viewer/2022041112/5f1841f78c2b7a733405e695/html5/thumbnails/26.jpg)
BranchOfficeSupport CHAPTER3 71
FIGURE 3-14
4. ClicktheAuthenticationtab;clickSelect,asshowninFigure3-15;andthenchoosethecertificatethatwillbepresentedtotheclientcomputersforauthentication.
FIGURE 3-15
![Page 27: Deploying Microsoft Forefront Threat Management Gateway 2010ptgmedia.pearsoncmg.com › images › 9780735649767 › ... · ment scenarios for Forefront TMG, and we take a deep dive](https://reader031.vdocuments.mx/reader031/viewer/2022041112/5f1841f78c2b7a733405e695/html5/thumbnails/27.jpg)
72 CHAPTER3 DeployingForefrontTMG2010ServicePack1
5. Optionally,youcanselecttheRequireClientComputersToBeMembersOfTheSameDomainAsForefrontTMGoptionifyouwanttorestricttheaccesstothisfeature.IfForefrontTMGisinaworkgroup,youshouldnotusethisoption.
6. ClickOKtocontinue,andthenclickApplytocommitthechanges.
What’s Next?
Atthetimewewerewritingthischapter,theForefrontTMGproductteamwasfinalizingthenextupdate(post-SP1)forForefrontTMG;itiscalledUpdate1.Update1willincludesomeadditionstotheproduct,suchas:
■ SafeSearch Thisisafeaturethatactsasanautomatedadult-oriented-contentfilterinWebsearchengines,suchasBingandYahoo.SafeSearchisactivatedbytheenduserfromasearchWebpage.ForefrontTMGcanbeusedforSafeSearchenforce-mentwhenorganizationalpolicyrequiresthatallorsomeofitspersonnelperformSafeSearchonly.
NOTE For more information about the SafeSearch feature, read http://blogs.technet.com/b/isablog/archive/2010/09/21/new-in-forefront-tmg-update-1-safesearch-enforcement.aspx.
■ Multiple Categories for URL Filter ThiscapabilityprovidesawayofcategorizingmultiplecategoriesinasingleURL.Withthisfeature,aForefrontTMGAdministratorwillbeabletocreateaccessrulesthatconsiderallcategoriesreturnedbyMicrosoftReputationServices.Anexampleofusabilityofthisoptionis:asitecanbecategorizedasprimarilya“generalbusiness”site,butalsoasa“Webmail”site.Inthiscase,the“generalbusiness”categoryisrankedhigherthanthe“Webmail”category.So,forex-ample,ifaForefrontTMGAdministratorwantedtoblockWebmail,butcouldn’twithForefrontTMG2010SP1becauseasite’sprimarycategorywasgeneralbusiness,themultiplecategoriesfeatureofUpdate1willallowtheWebmailtobeblocked.
NOTE For more information about the Multiple URL Categories feature, read http://blogs.technet.com/b/isablog/archive/2010/09/21/new-in-forefront-tmg-update-1-multiple-url-categories.aspx.
■ Improve Support of User Account Control in Patch Installation and Uninstallation Update1willincludeimprovementsintheinstallationanduninstal-lationprocessestoprovideabetterproductexperienceinscenariosinwhichUserAccountControl(UAC)isenabled.
Beyondthesecorechanges,otherminorchangeswillbeincludedinUpdate1.
![Page 28: Deploying Microsoft Forefront Threat Management Gateway 2010ptgmedia.pearsoncmg.com › images › 9780735649767 › ... · ment scenarios for Forefront TMG, and we take a deep dive](https://reader031.vdocuments.mx/reader031/viewer/2022041112/5f1841f78c2b7a733405e695/html5/thumbnails/28.jpg)
Administrator’sPunchList CHAPTER3 73
Administrator’s Punch List
Inthischapter,youlearnedaboutthenewfeaturesofForefrontTMG2010SP1andhowtoconfigurethosefeatures,youlearnedabouttheenhancementsincludedinForefrontTMG2010SP1,andyouheardaboutwhat’scomingnextwithUpdate1.WhenpreparingtodeployForefrontTMG2010SP1,keepinmindthefollowingpoints:
■ ReviewyourcurrentenvironmentbeforedeployingForefrontTMG2010SP1.KnowingthecurrentroleofeachForefrontTMGcanassistyouininstallingthisservicepackinthecorrectorder.
■ Inanenterprisescenario,beforeyouinstallForefrontTMG2010SP1,youmustlogontotheEMSusingthesamecredentialsthatwereusedtoinstallEMSduringthesetupprocess.
■ YouwillneedtouseadministrativeelevatedprivilegesinordertoinstallForefrontTMG2010SP1.
■ Ifyouhaveinstallationproblems,reviewtheForefrontTMGinstallationlogsunder%windir%\temp.
■ WhenusingtheURLFilteringUserOverrideoption,besuretoreviewthereportsandlogstoidentifytheuserswhoareusingsitesthatwereinitiallyblockedbyURLFiltering.
■ AfterinstallingForefrontTMG2010SP1,reviewthenewreportdesign,andcreatenewreportsbasedonuseractivity.
■ BesuretoplantheBranchCachedeploymentbeforeenablingit.
■ IftheRODCroleisalreadyinstalledontheserveronwhichForefrontTMG2010SP1willbeinstalled,itwillnotworkwiththeForefrontTMGRTMversion.YouwillneedtocreateaslipstreamversionofForefrontTMG.
■ TopreparefortheRODCinstallation,youmustruntheadprep/rodcprepcommandonthecurrentcontrollerforthedomain.
![Page 29: Deploying Microsoft Forefront Threat Management Gateway 2010ptgmedia.pearsoncmg.com › images › 9780735649767 › ... · ment scenarios for Forefront TMG, and we take a deep dive](https://reader031.vdocuments.mx/reader031/viewer/2022041112/5f1841f78c2b7a733405e695/html5/thumbnails/29.jpg)