forefront tmg operations

Forefront TMG Operations

Updated: February 1, 2010

Applies To: Forefront Threat Management Gateway (TMG)

The Forefront TMG Operations guide provides information to help you configure Forefront TMG business scenarios, and manage and maintain your Forefront TMG servers. The guide includes the following topics:

Setting up access to the Internet and corporate resources—Provides instructions

on how to set up access to the Web for internal users, access for remote users

and sites to the Internal network via virtual private networking, and access for

internal and external users to corporate resources, such as SharePoint and

Outlook Web Access.

Protecting your networks—Provides instructions on how to protect the

computers and servers in your extended network.

Administering Forefront TMG—Provides instructions on how to monitor, back up

and perform other administrative tasks for Forefront TMG.

http://technet.microsoft.com/en-us/library/cc441590.aspx

Setting up access to the Internet and corporate resources



One of the primary business scenarios for Forefront TMG is enabling secure access to the Web and to internal corporate resources. The following topics provide information that can help you configure different types of access in Forefront TMG:

Configuring firewall policy—Provides information about creating access rules

and recommendations regarding rule order.

Configuring Web access—Provides information about creating a Web access

policy for users and clients connected to the corporate network.

Configuring VPN access—Provides information about configuring site-to-site and

remote client virtual private network (VPN) access.

Configuring publishing—Provides information about configuring access to

corporate resources such as SharePoint and Exchange.

Configuring firewall policy




The following topics provide information about configuring a firewall policy in Forefront TMG:

Creating a firewall policy—Provides an overview of creating a firewall policy.

Creating an access rule—Describes the basic steps of creating an access rule.

Firewall policy configuration recommendations—Contains guidelines for

optimizing your firewall policy.

Configuring VoIP—Describes how to create access rules allowing voice over IP

(VoIP) traffic.

Creating a firewall policy



Using Forefront TMG, you can create a firewall policy, which includes a set of access rules and publishing rules. These rules, together with network rules, determine how clients access resources across networks. For an overview of access rules, see Planning to control network access. For an overview of publishing rules, see Planning for publishing.

Working with access rules

Access rules control access from one network to another. One of the primary functions of Forefront TMG is to connect between source and destination networks while protecting from malicious access. To facilitate this connectivity, you use Forefront TMG to create an access policy that permits clients on the source network to access specific computers on the destination network. The access policy determines how clients access other networks.

For information about creating access rules, see Creating an access rule.

For information about creating outbound Web access rules, that is, access from a client computer to the Internet, see Configuring Web access.

Working with publishing rules

Publishing rules control inbound access to published servers. Forefront TMG can make servers securely accessible to clients on another network. You use Forefront TMG to create a publishing policy to securely publish servers. The publishing policy (which consists of Web publishing rules, server publishing rules, secure Web publishing rules, and mail server publishing rules) and the Web chaining rules determine how published servers are accessed.

You can use one of the following Forefront TMG rules to publish servers:

Web publishing rules—To publish Web server content.

Server publishing rules—To publish any other content.

Secure Web publishing servers—To publish Secure Sockets Layer (SSL) content.

Exchange mail publishing rules—To publish Web client mail access on an

Exchange server or server farm.

When Forefront TMG processes an HTTP or HTTPS request from a client, it checks publishing rules and Web chaining rules to determine whether the request is allowed, and which server will service the request.

For non-HTTP requests, Forefront TMG checks the network rules and then checks the publishing rules to determine if the request is allowed.

For information about creating Web publishing rules, see Configuring Web publishing.

For information about creating server publishing rules, see Configuring publishing of other protocols.

Creating an access rule



This topic describes how to create access rules using the New Access Rule wizard.

To create an access rule using the New Access Rule wizard 1. In the Forefront TMG Management console, in the tree, click the Firewall

Policy node, and in the Tasks pane, click Create Access Rule.

2. Follow the instructions to complete the New Access Rule Wizard:

On the Rule Action page, specify whether the rule should allow or deny

access.

On the Protocols page, to select the FTP, HTTP, or HTTPS protocols,

leave the default setting Selected Protocols, and then click Add. In the

Add Protocols dialog box, click to expand Web, and then select FTP,

HTTP, or HTTPS. Do not select the protocols ending in "Server". These

are used for non-Web server publishing rules, and not for outbound

access.

On the Malware Inspection page, select whether to enable malware

inspection for the rule. To enable this setting, malware inspection must

be enabled globally. For more information, see Enabling malware

inspection.

On the Access Rule Sources page, select the network objects from

which requests will be received.

On the Access Rule Destinations page, select where to send the

received requests. For Web access, select the External network (the

Internet).

On the Users page, select whether requests for the rule must be

authenticated. For anonymous access, leave the default All Users

setting. To specify that the rule will only apply to a particular group of

users, click Add, and then select either the predefined user sets or

create a custom user set.

Firewall policy best practices

[This topic is pre-release documentation and is subject to change in future releases. Blank topics are included as placeholders.]

These best practices will help you create a firewall policy that results in the policy behaviors you want and provide security benefits, and they can help you boost the performance of your Forefront TMG deployment.

General Policy Guidelines

The performance of Forefront TMG is related to the type of information it requires to evaluate the rules. Because rules are evaluated in order, you want to place the rules that can be processed quickly near the top of the rule list if this does not interfere with the behavior of the firewall policy you have designed. This way, if a request matches a rule that is high in the order, Forefront TMG does not have to compare the request to rules that might take longer to process.

Simple Rule ElementsThe following rule elements require simple networking information and therefore are evaluated quickly:

Protocol definitions

Schedules

All IP address based network elements (computers, computer sets, subnets,

networks, and network sets)

Also, source port information is evaluated quickly.

Rules that use these elements should be placed at the top of the rule list.

Complex Rule ElementsThe following rule elements require additional networking information and therefore are evaluated more slowly:

Domain name sets and URL sets

Users (other than the built-in "All Users" user set)

Content type

Rules that contain such elements should be placed at the bottom of the rule list.

Rules Using Application FiltersRules that use the SMTP filter, HTTP filter, or FTP filter slow performance.

General Rule Order RecommendationsWe recommend that you organize your access rules in this order:

1. Global deny rules. Rules that deny specific access to all users. These rules

should use the rule elements that require simple networking information. An

example of such a rule would be a rule that denies all users access from

anywhere to anywhere on protocols used for peer-to-peer file sharing.

2. Global allow rules. Rules that allow specific access to all users. These rules

should use the rule elements that require simple networking information. An

example of this would be a rule allowing access on the DNS protocol from the

Internal network to the External network.

3. Rules for specific computers. Rules that allow or deny access for specific

computers, for example, a rule allowing UNIX computers access to the Internet.

4. Rules for specific users, URLs, and MIME types, and also publishing

rules. Rules that contain rule elements that require additional networking

information and that enforce policy for specific users, or for specific URLs or

Multipurpose Internet Mail Extensions (MIME) types. Publishing rules should also

occur at this point in the rule order.

5. Other allow rules. Rules that handle traffic that does not match rules that

occur previously in the list of rules, assuming the traffic is allowed by your

corporate policy. For example, a rule allowing all traffic from the Internal

network to the Internet.

Note:

Server publishing and Web publishing rules can be placed anywhere in the rule order after global allow or deny rules.

Specific Best Practices

The following best practices should be considered when creating firewall policy.

User Sets and Unauthenticated UsersPlace rules that are based on user sets lower in the rule order. If you put these rules high in the rule order, you preclude further processing of traffic coming from unauthenticated users who otherwise match the rule definition. This may have the unintended effect of an allow rule functioning as a deny rule for unauthenticated users.

Forefront TMG drops traffic from unauthenticated users after rules based on user sets, to preclude the bypassing by unauthenticated users of the rules based on user sets.

Note:

Forefront TMG can only try to match authenticated users against rules that require client membership in a user set. Authenticated users include Firewall clients, virtual private network (VPN) clients, and authenticated Web clients.

Use IP AddressesWhere possible, use IP addresses rather than DNS names in your firewall policies. This reduces the reliance of Forefront TMG on the DNS servers, and this results in better performance. However, be aware that in some situations, you will not achieve the desired behavior by using IP addresses. For example, if you are trying to deny access to a site and the site’s IP address is assigned dynamically, or if the site has more than one IP address, blocking an IP address does not block the site reliably. In this case, you should use the fully qualified domain name (FQDN) to block the site. For extra reliability, you can use both IP addresses and FQDNs in a rule. Note that you have to create separate rule elements for the IP addresses and for the FQDNs. When you use IP addresses and FQDNs in a single rule, the Forefront TMG rule engine first evaluates the request using the IP addresses, so that if there is a match, there is no need to try to resolve the FQDN to an IP address. This improves the efficiency of the rule. For examples of how Forefront TMG evaluates names and IP addresses in HTTP requests, see Name Evaluation in this document.

Use Fully Qualified Domain Names for URL Sets and Domain Name SetsUse fully qualified domain names (FQDN) in domain name sets and URL sets.

For examples of how Forefront TMG evaluates URLs and IP addresses in HTTP requests, see Name Evaluation in this document.

User Authentication and PerformanceWhen a rule requires user authentication, it must rely on connectivity to and speed of the authenticating server, such as the domain controller or Remote Authentication Dial-In User Service (RADIUS) server. The authentication process can affect the performance of Forefront TMG. We therefore recommend that rules requiring authentication be placed near the bottom of the list of rules (assuming that this conforms to your policy design), so that only traffic that is not matched by an earlier rule will encounter the authenticating rule.

Note:

http://technet.microsoft.com/en-us/library/bb794754.aspx#NameEvaluation

You can use Forefront TMG connectivity verifiers to monitor connectivity with various servers. Connectivity verifiers are described in Forefront TMG Help.

Firewall Clients and User SetsIf the firewall policy includes a rule that refers to a user set (other than the default All Users), the Firewall client always tries to authenticate and will fail if in a workgroup or in an untrusted domain. The firewall client will not be able to establish a connection with the Forefront TMG computer, and no traffic will be allowed.

Protocol DefinitionsDo not create protocol definitions that duplicate or overlap existing protocol definitions. This can lead to unexpected behavior. For example, you may create a rule that allows all traffic except for a specific protocol, and you may find that the traffic you meant to deny on that protocol is actually allowed because there is a similar protocol defined. We recommend that you check the list of existing protocols carefully before you define additional protocols.

Rules by MIME TypeMIME types should be used as a criterion only in rules that apply solely to HTTP traffic. Because MIME types are not applicable to other types of traffic, a rule that includes any protocol other than HTTP and refers to MIME types is effectively disabled for those protocols.

Access Rules and Network RulesAn access policy that defines access between two networks will not allow access unless there is also a network rule defining the relationship between those two networks. This is also true for server publishing rules, but not for Web publishing rules.

Deny Access Rule on All Protocols with Source Port RestrictionDo not create a deny access rule on all protocols that includes a source port restriction. Because source ports are not checked for secondary connections, all protocols will then be blocked on secondary connections (if the rule allowing the secondary connection is lower in the rule order than the deny access rule with the source port restriction).

Secure the Remote Management Computers Computer SetRestrict membership in the Remote Management Computers computer set to computers that require remote administration access. For example, do not add entire networks, such as the Internal network, to the computer set. This helps protect the firewall from worms that affect those networks.

Network for Infected ComputersCreate a network to contain computers that are infected. Do not create any network rules for the network, so that it will not have any access. When a computer is infected, move it into that network. Note that each computer that you move into this network creates a gap in the address range of the Internal network, thus fragmenting it. Fragmented networks have a negative performance impact on Forefront TMG Network Load Balancing (NLB), so this approach should be used carefully, and computers should be returned to their original network as quickly as possible.

Access Rule for Windows UpdateTo enable access to the Windows Update servers, create an access rule allowing access for users to the Microsoft Update Domain Name Set. This rule should be placed high in the ordered list of firewall policy rules. In particular, it must precede Web access rules that require authentication, which may block some users from obtaining updates from Windows Update.

Note:

In this scenario, on the Web proxy tab for the user network, after you click Authentication, you should not select Require all users to authenticate, because this will also block access to Windows Update.

Name Evaluation

When a client makes an HTTP request, it may be a name, an FQDN, or an IP address. This topic provides examples of how Forefront TMG handles these requests.

If an HTTP request uses a site name, such as http://www.fabrikam.com, Forefront TMG recognizes the name in the request and performs a forward name resolution to a DNS server to get the FQDN, aliases, and the IP addresses associated with that name. The result is that Forefront TMG has available the site name, the FQDN, the aliases, and the IP addresses to compare to the access rule requirements. Any one of those elements could be a match to the rule, depending on which element was used in the rule.

In the example of www.fabrikam.com, the following elements could match an access rule:

Name: www.fabrikam.com

FQDN: fabrikam.com

IP addresses: 207.46.250.119, 207.46.130.108

If an HTTP request uses an IP address, Forefront TMG first checks the rules to see if a rule matches that IP address. During this process, if Forefront TMG encounters a rule that requires a name, it performs reverse name resolution to obtain the FQDN for that IP address. Forefront TMG can then compare the FQDN to the access rule definitions.

If the reverse name resolution fails, only the original IP address in the request is used in comparison to the rule definitions.

Note:

In the case of a SecureNAT client requesting a site by name, Forefront TMG first verifies that the host header content is not masking an unrelated IP address requested by the client. If this verification succeeds, the process continues as it would for a Web Proxy client.

Configuring VoIP



The following topics provide information on:

Configuring access for VoIP—How to create access rules which allow Voice over IP (VoIP) over Forefront TMG.

Configuring advanced VoIP settings—How to configure VoIP settings which allow clients on the Internal network to receive and send calls through the Internet Protocol Private Branch Exchange (IP PBX) system.

Configuring access for VoIP



Using Forefront TMG, you can configure policy rules that allow Voice over IP (VoIP) traffic through Forefront TMG.

VoIP is carried out using User Datagram Protocol (UDP), which is based on two other protocols: Session Initiation Protocol (SIP) for call establishment and termination, and Real Time Protocol (RTP) for media (audio and video).

An Internet Protocol Private Branch Exchange (IP PBX) telephone system switches calls between VoIP users. The IP PBX transfers voice over data networks, such as local area network (LAN) and wide area network (WAN), and can also switch calls between a VoIP user and a traditional telephone user, or between two traditional telephone users. When Forefront TMG is deployed at the edge or within your organization, you can configure policy rules which enable SIP and RTP traffic to pass through Forefront TMG.

The following procedures describe:

Configuring an external (hosted) IP PBX

Configuring an internal IP PBX connected to the PSTN

Configuring an internal IP PBX with a SIP trunk

Configuring an internal IP PBX with an external (hosted) IP PBX

Configuring an external (hosted) IP PBX Use this configuration when you use an external or hosted IP PBX system provided by an Internet Telephony Service Provider (ITSP). This VoIP configuration adds the following rules:

Allow SIP traffic between phones and IP PBX—Enables SIP traffic from the

internal phones to reach the external PBX.

http://technet.microsoft.com/en-us/library/dd441021.aspx#external

http://technet.microsoft.com/en-us/library/dd441021.aspx#siptrunk

http://technet.microsoft.com/en-us/library/dd441021.aspx#internal

http://technet.microsoft.com/en-us/library/dd441021.aspx#hosted

Allow RTP traffic to External network—Enables media traffic from the internal

phones to reach the external network.

Allow RTP traffic between phones—Enables media traffic between the internal

phones.

To configure a hosted IP PBX1. On the Forefront TMG server, click the Firewall Policy node.

2. In the Tasks tab, click Configure VoIP.

3. In the SIP Configuration Wizard, select IP phones are connected to an

External (Hosted) IP PBX.

4. Follow the steps in the wizard to specify the location of the external IP PBX (your

ITSP will typically provide you with a DNS name), and specify the network

addresses of the phones that will be used for SIP traffic.

5. The completion page details the Forefront TMG policy rules that will be created.

The rules specify the source and destination by which the specified traffic is

allowed.

Configuring an internal IP PBX connected to the PSTN

Use this configuration when you use an internal IP PBX and the PSTN for external calls. In this case, you need an SIP gateway that converts calls between the IP network and PSTN. This VoIP configuration adds the following rules:

Allow RTP traffic to SIP gateway—Enables media (RTP) traffic from the internal

phones and IP PBX to reach the SIP gateway.

Allow RTP to internal IP PBX—Enables media (RTP) traffic from the internal

phones and SIP gateway to reach the IP PBX.

Allow RTP traffic to Phones—Enables media (RTP) traffic from the IP PBX and SIP

gateway to reach the IP phones.

Allow SIP traffic SIP IP PBX and internal SIP components—Enables SIP traffic

between the IP phones, IP PBX, and SIP gateway.

To configure an internal IP PBX connected to the PSTN1. On the Forefront TMG server, click the Firewall Policy node.



Internal IP PBX.

4. Select The internal PBX is not connected to an external service provider

and The internal PBX is connected to a PSTN via SIP.

5. Follow the steps in the wizard to specify the location of the SIP gateway, the IP

address of the internal PBX, and specify the network addresses of the internal IP

phones.



allowed.

Configuring an internal IP PBX with a SIP trunk

Use this configuration when you use an internal IP PBX and a SIP trunk between your IP PBX and the ITSP for external calls. This VoIP configuration adds the following rules:

Allow RTP traffic to internal IP PBX—Enables media (RTP) traffic from the internal

phones to reach the IP PBX, that is, the internal SIP Proxy.

Allow RTP traffic to phones—Enables media (RTP) traffic from the IP PBX to

reach the IP phones.

Allow RTP traffic to External network—Enables media (RTP) traffic from the

internal phones and IP PBX to reach the external network.

Allow SIP traffic between internal IP PBX and external IP PBX —Enables SIP from

the internal IP PBX to reach the external IP PBX.

Allow SIP between internal SIP components—Enables SIP between the IP phones

and the IP PBX.

Publish internal IP PBX to the External network—Allows traffic from the external

IP PBX to reach the internal IP PBX.

To configure an internal IP PBX with a SIP trunk1. On the Forefront TMG server, click the Firewall Policy node.



Internal IP PBX.

4. Select The internal PBX is serviced by SIP trunk service.

5. Follow the steps in the wizard to specify the IP address of the internal PBX, the

location of the external IP PBX (your ITSP will typically provide you with a DNS

name), and specify the network addresses of the internal IP phones.



allowed.

Configuring an internal IP PBX with an external (hosted) IP PBX

Use this configuration when you use an internal IP PBX and a hosted PBX. This VoIP configuration adds the following rules:

Allow RTP traffic to internal IP PBX—Enables media (RTP) traffic from the internal

phones to reach the IP PBX, that is, the internal SIP Proxy.

Allow RTP traffic to phones—Enables media (RTP) traffic from the IP PBX to

reach the IP phones.

Allow RTP traffic to External network—Enables media (RTP) traffic from the

internal phones and IP PBX to reach the external network.

Allow SIP traffic between internal IP PBX and external IP PBX—Enables SIP from

the internal IP PBX to reach the external IP PBX.

Allow SIP traffic between the SIP IP PBX and internal SIP components—Enables

SIP between the internal SIP components and the SIP IP PBX.

To configure an internal IP PBX with an external (hosted) IP PBX1. On the Forefront TMG server, click the Firewall Policy node.



Internal IP PBX.

4. Select The internal PBX is serviced by external (hosted) service.

5. Follow the steps in the wizard to specify the IP address of the internal PBX, the

location of the external IP PBX (your ITSP will typically provide you with a DNS

name), and specify the network addresses of the internal IP phones.



allowed.

Configuring advanced VoIP settings



VoIP settings allow clients on the Internal network to receive and send calls through the IP PBX system. The following procedures describe how to enable and configure VoIP settings and SIP quotas.

To configure VoIP settings1. In the Forefront TMG Management console, in the tree, click Firewall Policy.

2. On the Tasks tab, click Configure VoIP Settings.

3. Select the Enable internal SIP clients to register externally to enable

clients on the internal network to receive incoming calls from the IP PBX.

4. In the External registration IP address dialog box, enter a network IP

address dedicated to the IP PBX system. If you use 0.0.0.0, the Forefront TMG

external IP address is used.

5. In the Number of registration ports for SIP in addition to default port,

enter the number of times the same client can register with the external IP PBX.

To configure SIP quotas 1. In the Forefront TMG Management console, in the tree, click Firewall Policy.

2. On the Tasks tab, click Configure VoIP Settings.

3. Click Configure SIP Quotas.

4. In Global max number of registrations on the filter, enter the number of

internal clients that are allowed to register with the external IP PBX.

5. In Max number of registrations for specific IP address, enter the number

of internal clients that are allowed to register with the external IP PBX via a

specific IP address.

6. In Global max number of calls on the filter, enter the number of

simultaneous calls allowed from internal clients to the external IP PBX.

7. In Max number of calls for specific IP address, enter the number of

simultaneous calls allowed from the internal clients to the external IP PBX via a

specific Internal IP address.

Configuring Web access



The following topics provide information about configuring Web access in Forefront TMG:

Enabling access to the Internet—Describes how to create and configure Web

access policy rules.

Caching Web site content— Describes how to set up caching of frequently

downloaded content in order to improve the speed of Web access and improve

network performance.

Enabling access to the Internet



In Forefront TMG, you enable access to the Web by creating access rules. When creating a Web access policy for your organization, it is recommended that you do the following:

1. Use the Web Access Policy wizard to create a basic Web access policy. This

basic policy provides anonymous access for internal users to all Web

destinations, except for those Web destinations that you select. You can use

predefined URL categories to filter out the types of Web destinations you do not

want your users to access. You can also designate users or user sets to whom

these blocks do not apply. The wizard also allows you to enable protection

technologies for Web-based threats.

2. After completing the Web Access Policy wizard, you can fine-tune the Web

access policy by editing the properties of the Web access rules. Among other

things, you can force users to authenticate before granting them access to the

Web, set up different access rules for different users, control the times when

they can access the Web, and what file types they can download.

The following topics describe how to enable and configure Web access in your organization:

Creating a basic Web access policy—Describes how to create a simple Web

access policy.

Configuring Web access rule options—Describes how to differentiate the Web

access policy for different users and computers.

Customizing HTML error messages in Forefront TMG—Describes how to

customize the error messages that Web browser clients sometimes receive as a

result of a Web request.

Caching Web site content



Forefront TMG implements a cache feature that improves the performance and response times for Web requests. Forward caching provides cached Web objects to internal users who make requests to the Internet, thus providing faster access and reduced traffic on the Internet connection. The topics in this section describe how to enable and configure caching, create rules that specify which content should be cached, and create content download jobs to specify how content should be collected.

In this section

Enabling caching

Configuring cache rules

Configuring content download jobs

Configuring VPN access



Forefront TMG provides virtual private network (VPN) access to the internal corporate network, for clients on remote networks and roaming clients who connect over the Internet. The following topics provide information about configuring VPN access in Forefront TMG:

Configuring site-to-site VPN access—Describes how to create a VPN connection

to a remote network. This enables clients on the remote network to access

resources on the corporate network with high security, while enabling clients on

the corporate network to access resources on the remote site.

Configuring remote client VPN access—Describes how to allow users who work

remotely to connect to the corporate network over the Internet with high

security.

http://technet.microsoft.com/en-us/library/dd897034.aspx

Configuring site-to-site VPN access



Using Forefront TMG, you can allow clients on remote networks to connect to resources on your corporate network by establishing a site-to-site virtual private network (VPN). The following topics describe how to configure a site-to-site VPN connection:

Creating a user account to authenticate the remote site—Describes how to

create a user account so that the remote site can authenticate to the VPN

gateway.


Creating a VPN remote site connection—Provides step by step instructions for

creating a remote site connection using the Create VPN Site-to-Site

Connection wizard.

Testing the configuration (site-to-site)—Describes how to test site-to-site

connectivity by trying to access a computer on the remote network.

Configuring addresses for NLB-enabled remote sites—Describes the special

considerations when working with remote sites that use Network Load

Balancing.

Configuring EAP authentication—Describes how to complete the configuration of

Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol

(L2TP) networks, using Extensible Authentication Protocol (EAP).

Terminating inactive VPN connections automatically—Describes how to

configure Forefront TMG to terminate inactive connections on PPTP and L2TP

VPN networks.

Configuring remote client VPN access



Enabling remote access via a virtual private network (VPN) allows users who work remotely to connect to an organization's private network over the Internet. For information about planning your VPN deployment, see Planning for virtual private networks. The following topics provide information about configuring remote client access via a VPN in Forefront TMG:

Defining remote VPN clients

Enabling basic remote client access

Configuring remote client access with enhanced security

Installing the remote access quarantine tool

Configuring RQS and RQC based quarantine control

Enforcing VPN client health requirements using NAP

http://technet.microsoft.com/en-us/library/bb838876.aspx

Configuring publishing




The following topics provide information about configuring publishing in Forefront TMG:

Configuring Web publishing

Configuring publishing of other protocols


Configuring Web publishing



Using Forefront TMG, you can publish Web servers over secure or unsecured connections. The following topics describe how to configure different types of Web publishing:

Configuring Web publishing: Overview

Publishing Web servers over HTTP

Publishing Web servers over HTTPS

Configuring Outlook Web Access publishing

Configuring Outlook Mobile Access publishing

Configuring ActiveSync publishing

Configuring SharePoint publishing

Configuring Web publishing rules

Customizing HTML forms

Configuring bandwidth prioritization

Configuring HTTP compression


Configuring publishing of other protocols





Using Forefront TMG, you can publish servers running protocols other than HTTP. Forefront TMG uses server publishing rules to forward incoming client requests for non-HTTP servers located in a network protected by Forefront TMG. A server publishing rule maps a port number and one or more IP addresses on which the Forefront TMG computer listens for client requests to a port number and IP address on the published server.

The following topics describe how to create server publishing rules:

Creating and using a server protocol

Configuring FTP server publishing

Configuring SQL Server publishing

Configuring RDP publishing


Protecting your networks



Forefront TMG has a number of protection technologies that allow you to protect the computers and servers in your extended network. The following topics describe how to enable, configure, and keep up-to-date these protections:

Note:

For more information about these protections, see Protection design guide for Forefront TMG.

Configuring protection from known vulnerabilities—Describes how to protect

your networks from attempts to exploit known vulnerabilities in operating

systems and applications.

Configuring protection from network attacks—Describes how to protect your

networks from flood, DNS, and other kinds of attacks.

Configuring protection from Web-based threats—Describes how to protect your

organization from malware and other Web-based threats:

Configuring protection from e-mail-based threats—Describes how to protect

your SMTP mail servers (and consequently e-mail recipients) from spam, viruses

and other malware.

Managing definition updates for Forefront TMG—Describes how to configure the

update mechanisms for these protections.



Administering Forefront TMG



This guide provides information about administering Forefront TMG. The following topics explain how to manage day-to-day operations for Forefront TMG:

Monitoring Forefront TMG

Managing URL filtering

Backing up and restoring the Forefront TMG configuration

Forefront TMG Troubleshooting


Monitoring Forefront TMG



The following topics provide information that can help you monitor Forefront TMG:

Monitoring activity from the dashboard

Configuring alerts

Configuring Forefront TMG logs

Configuring Forefront TMG reports


Monitoring activity from the dashboard



Forefront TMG monitoring allows you to do the following:

Monitor connectivity to network servers. You can create connectivity verifiers to

check the availability of specific network servers. For instructions, see

Monitoring server connectivity.




Track activity by monitoring current sessions for Forefront TMG Clients, Web

proxy clients, and SecureNAT clients. For instructions, see Monitoring client

sessions.

Check the current state of the system by monitoring alerts that have been

issued, as well as the status of services. For more information, see Monitoring

alerts.

Monitor traffic status by using performance counters. For details, see Monitoring

performance.

Check the status of Forefront TMG configuration on each array member.

Configuring alerts



Forefront TMG events are generated by Forefront TMG services when particular run-time conditions occur. The alert service of Forefront TMG acts as a dispatcher and an event filter. It notifies you when specified events occur by triggering an alert for the event. Some events have additional conditions. In this case, both the event and the additional condition must occur before the alert is triggered.

Forefront TMG provides a number of predefined alerts for every type of event defined by Forefront TMG.

The following topics provide information that can help you configure alerts:

Configuring alert definitions

Configuring alert actions

Configuring Forefront TMG logs



Forefront TMG provides a number of logging formats, including logging to a text file, a local SQL Server Express database, and a remote SQL Server computer. Because Forefront TMG is deployed to help secure your network, it is critical that logging information is always available and accurate. You should carefully monitor alerts and verify that their activity is always being logged. Forefront TMG provides a log queue feature to help ensure log availability during peak logging.

Check for alerts that indicate failure to log for a variety of reasons, including disk space, SQL Server connectivity issues, and others.

The following table summarizes the default log settings following installation:

Setting Details Defaults

Firewall log

Logs traffic handled by the Firewall service

Enabled by default to log into the SQL Express database on the local computer.

Web proxy log

Logs traffic handled by the Web proxy filter

Enabled by default to log into the SQL Express database on the local computer.

Log folder

Location of log files By default in the ISALogs folder of the Forefront TMG installation directory

Log limits

Management of log file size Default settings:Total size limit=8GB

Free disk size to maintain=512MB

Maintenance method: Delete files as necessary

Delete files older than=7 days

Log queue

The log queue is used to temporarily store log entries when they cannot be formatted. This may occur when log entries are generated faster than they can be formatted, or there is no connectivity to a remote SQL Server database.

By default the log queue is stored in the ISALogs folder of the Forefront TMG installation folder.

Alerts The alerts service notifies you when specific events occur.

All log-related alerts are enabled by default

The following topics provide information that can help you configure and maintain logs and run log queries:

Enabling logging

Configuring logging to a remote SQL server

Setting up SQL Server for logging




Configuring logging to SQL Server Express

Configuring logging to a text file

Configuring the log location

Configuring the log queue

Selecting log fields

Logging requests matching a rule

Configuring logging to avoid lockdown

Querying the Forefront TMG logs

Configuring Forefront TMG reports



With Forefront TMG reporting, you can create a permanent record of common usage patterns, and you can summarize and analyze log information. For example, you can determine:

Who is accessing sites, and which sites are being accessed.

Which protocols and applications are being used most often.

General traffic patterns.

Cache ratio.

Security monitoring. For example, you can generate reports that track malicious

attempts to access internal resources. Similarly, by tracking the number of

connections to a published server or the traffic to the server, you might identify

an attempt at denial of service.

Malware activity.

URL filtering.

Network inspection activity.

Report types and categories

There are two types of reports:









One-time reports. These ad hoc reports provide an immediate picture of the

activity recorded by Forefront TMG over any period you specify.

Recurring report jobs. You can schedule automated reports on a daily, weekly,

or monthly basis. The time periods available for these reports are more

structured than those of one-time reports; a report that is generated every day

will show a day's activity, and a report that is generated once a month will show

exactly a month's activity.

Note:

Reports contain activity from the previous day and earlier.

Forefront TMG provides predefined report categories and subcategories. These reports can be customized.

Reporting mechanism

Forefront TMG reports are based on log summaries derived from the Web Proxy and Firewall logs. Using SQL Server reporting services, Forefront TMG generates two types of log summaries, daily and monthly, which all reports are based on. Log summaries are generated at night (by default at 12:30am), however this time is configurable.

The following topics provide information that can help you configure reports:

Creating reports

Viewing reports

Customizing reports

Changing the report server

Managing URL filtering



The following topics provide information about managing URL filtering:

Introduction to managing URL filtering

Looking up a URL category

Overriding URL categorization


Introduction to managing URL filtering




URL filtering allows you to create access rules that allow or block access to Web sites based on their categorization in the URL filtering database. When a request to access a Web site is received, Forefront TMG queries the remotely hosted Microsoft Reputation Service to determine the categorization of the Web site. If the Web site has been categorized as a blocked URL category or category set, Forefront TMG blocks the request.

If a user requests access to a Web site and discovers that access to the Web site is blocked, he receives a denial notification that includes the denied request category. In some cases, the user may contact the administrator to dispute the categorization of the Web site. In such a case, you must check that the URL was categorized properly (see Looking up a URL category). If the Web site was not categorized correctly, then you must create a custom setting for this URL (see Overriding URL categorization).


Looking up a URL category



The following procedure describes how to query the URL filtering database regarding the categorization of a URL or IP address.

To look up a URL category 1. In the Forefront TMG Management console, in the tree, click Web Access

Policy.

2. In the Tasks pane, click Query for URL Category.

3. On the Category Query tab, type a URL or IP address, and then click Query.

The result of the category is displayed on the tab, as well as some insight as to

the source of the categorization, such as by override, IP address, or URL alias.

4. To change a domain's categorization, copy the URL or IP address to the

computer's clipboard, and click the URL Category Override tab. For more

information, see Overriding URL categorization.

Note:

Each URL must include a host name, and may include a path, query string, escaped characters (such as “%20” to represent a space) and a protocol (such as HTTP://). For example, http://www.contoso.com/training/.

Overriding URL categorization



The following procedure describes how to specify a new URL category for an IP address or URL.


To override URL categorization 1. In the Forefront TMG Management console, in the tree, click Web Access

Policy.

2. In the Tasks pane, click Configure URL Filtering.

3. On the URL Category Override tab, click Add.

4. Under Override the default URL category for this URL pattern, type a URL

pattern in the format www.contoso.com/*.

Note:

Each URL must include a host name and a path, and may include a query

string and escaped characters (such as “%20” to represent a space).

Do not include a protocol (such as HTTP://) with the URL.

Forefront TMG does not support the use of Internationalized Domain Name

(IDN) URLs.

5. Under Move URL pattern to this category, select a new URL category.

6. Click OK. The URL Categories Override dialog closes. Click OK again and

then on the Apply Changes bar, click Apply.

Backing up and restoring the Forefront TMG configuration



The following topics describe how to back up and restore Forefront TMG settings, for the different configuration options:

Backing up and restoring the enterprise configuration

Backing up and restoring the array configuration

Backing up and restoring specific policies and settings

Backing up and restoring using VSS Writer

Before you start the backup or restore process, make sure you read the information provided in Planning for backup and restore.


Backing up and restoring the enterprise configuration




This topic describes how to back up and restore the enterprise configuration from your Enterprise Management Server (EMS). Enterprise configuration settings are relevant for, and are shared by, all members of the array.

Note:

You must be a Forefront TMG Enterprise Administrator or Enterprise Auditor to back up and restore the enterprise configuration. To back up and restore enterprise-level confidential information, you must be a Forefront TMG Enterprise Administrator.

The following procedures provide instructions on:

Backing up an enterprise configuration

Restoring an enterprise configuration

Backing up an enterprise configuration To back up an enterprise configuration

1. In the Forefront TMG Management console, in the tree, click the Enterprise

node.

2. On the Tasks tab, click Export Enterprise Configuration.

3. To export confidential information, such as user passwords and certificates,

select Export confidential information and provide a password. Confidential

information is encrypted during the export process. The password you enter

here will be required to import the configuration.

Note:

It is recommended that you specify a strong password to ensure proper

protection of encrypted information. For details, see Planning for backup and

restore.

The export process does not back up Secure Sockets Layer (SSL) certificates.

For information about how to back up SSL certificates, see About backing up

SSL certificates.

4. To export user permissions, select Export user permission settings.

5. In Save this data in this file, specify the folder in which the export file will be

saved, and the file name.

http://technet.microsoft.com/en-us/library/0461913e-8bbd-4e38-8463-629a3dd69e0f(TechNet.10)#BKMK_AboutSSLBackup




http://technet.microsoft.com/en-us/library/dd441027.aspx#BKMK_restoreconfig

http://technet.microsoft.com/en-us/library/dd441027.aspx#BKMK_backupconfig

6. In File name, enter a name for the exported file.

Restoring an enterprise configuration

To restore an enterprise configuration1. In the Forefront TMG Management console, in the tree, click the Enterprise

node.

2. On the Tasks tab, click Import Enterprise Configuration.

3. Select the file that you saved when you exported the configuration.

4. Select Overwrite (restore) to restore configuration settings.

5. If you exported user permissions, select Import user permission settings.

6. If you exported confidential information, enter the password that you specified

when you exported the file.

Backing up and restoring the array configuration



This topic describes how to back up and restore an array configuration, for a single-server or multiple-server array. Array configuration includes the following settings:

Array configuration settings, which are relevant for, and are shared by, all

members of the array.

Server configuration settings, specific to each array member.


Backing up an array configuration

Restoring an array configuration

Note:

To back up and restore array-level confidential information, you must be a Forefront TMG Array Administrator.

Backing up an array configuration

To back up an array configuration1. In the Forefront TMG Management console, in the tree, click the array

ArrayName.

2. On the Tasks tab, click Export (Back up) Array Configuration.

http://technet.microsoft.com/en-us/library/dd441048.aspx#BKMK_RestoreArrayConfig

http://technet.microsoft.com/en-us/library/dd441048.aspx#BKMK_BackupArryConfig

3. To export confidential information, such as user passwords and certificates,

select Export confidential information and provide a password. Confidential

information is encrypted during the export process. The password you enter

here will be required to import the configuration.

Note:

It is recommended that you specify a strong password to ensure proper

protection of encrypted information. For details, see Planning for backup and

restore.

The export process does not back up Secure Sockets Layer (SSL) certificates.

For information about how to back up SSL certificates, see About backing up

SSL certificates.

4. To export user permissions, select Export user permission settings.



6. In File name, enter a name for the exported file.

Restoring an array configuration

To restore an array configuration1. In the Forefront TMG Management console, in the tree, click the array

ArrayName.

2. On the Tasks tab, click Import (Restore) Array Configuration.

3. Select the file that you saved when you exported the configuration.

4. Select Overwrite (restore) to restore the configuration settings.

5. If you want to import server-specific settings, select Import server-specific

information.

6. If you exported user permissions, select Import user permission settings.



Backing up and restoring specific policies and settings







This topic describes how to export specific elements of the Forefront TMG configuration, namely individual policy rules and rule elements.


Exporting a single policy rule or rule elements

Importing a single policy rule or rule elements

Note:

You must be a Forefront TMG Enterprise Administrator or Enterprise Auditor to

back up and restore enterprise-level settings.

To back up and restore enterprise-level confidential information, you must be

a Forefront TMG Enterprise Administrator.

To back up and restore array-level confidential information, you must be a

Forefront TMG Array Administrator.

Exporting a single policy rule or rule elements

To export a single policy rule or rule elements1. In the Forefront TMG Management console tree, click Firewall Policy.

2. To export a single policy rule:

In the details pane, right-click the applicable rule, and then click Export

Selected.

To export a single-rule element:

In the Toolbox pane, right-click the required rule element, and then click

Export Selected.

To export multiple-rule elements:

In the Toolbox pane, right-click the required rule elements, and then click

Export All.

3. To export confidential information, such as user passwords, certificates, and

RADIUS shared secrets, select Export confidential information and provide a

password. Confidential information is encrypted during the export process. The

password you enter here will be required to import the configuration.

http://technet.microsoft.com/en-us/library/bb794861.aspx#BKMK_ImportPolicyRule

http://technet.microsoft.com/en-us/library/bb794861.aspx#BKMK_ExportPolicyRule

Note:

It is recommended that you specify a strong password to ensure proper protection of encrypted information. For details, see Planning for backup and restore.



Importing a single policy rule or rule element

To import a single policy rule or rule element1. In the Forefront TMG Management console tree, click Firewall Policy.

2. To import a single policy rule:

In the details pane, right-click the applicable rule, and then click Import

to Selected.

Note:

You cannot import a file to overwrite the default rule.

3. To import a single-rule or a multiple-rule element:

In the Toolbox pane, right-click the required rule element, and then click

Import All.

4. Select the file that you saved when you exported the configuration settings.

5. If you want to import server-specific settings, select Import server-specific

information.



Backing up and restoring using VSS Writer



You can back up and restore the Forefront TMG configuration using Volume Shadow Copy Service (VSS). VSS is a set of Component Object Model (COM) application programming interfaces (APIs) that provide standardized interfaces, enabling third-party backup and restoration software to centrally manage the backup and restore operations on a variety of applications. In Forefront TMG, the configuration is stored in an instance of Active Directory Lightweight Directory Services (AD LDS). When you use VSS to back up and restore the Forefront TMG configuration, Forefront TMG calls the AD LDS VSS Writer.

The writer name string for this writer is "ISA Writer".


The writer ID for the registry writer is 25F33A79-3162-4496-8A7D-CAF8E7328205.

Ensure that you back up the required server, depending on whether it is standalone or belonging to an array, as follows:

Enterprise array—Back up the Forefront TMG Enterprise Management Server

(EMS).

Standalone array—Back up the array manager.

Standalone server—Back up the Forefront TMG server.

Note:

You must be a Forefront TMG Enterprise Administrator or Enterprise Auditor to

back up and restore enterprise-level settings.

To back up and restore enterprise-level confidential information, you must be

a Forefront TMG Enterprise Administrator.

To back up and restore array-level confidential information, you must be a

Forefront TMG Array Administrator.

Forefront TMG Troubleshooting



The following topics provide guidance for diagnosing and resolving issues you may encounter with Forefront TMG:

Tracking configuration changes

Simulating network traffic

Using diagnostic logging

Troubleshooting the installation

Troubleshooting Web access protection

Unsupported Configurations


Tracking configuration changes




Configuration change tracking enables the registering of all configuration changes that are made either in Forefront TMG Management, or programmatically using scripts. You can use configuration change tracking as a support tool to determine the cause of an issue that results from a configuration change. By default, change tracking is disabled.

You can view the output of configuration change tracking in the Change Tracking tab of the Troubleshooting node, in the Forefront TMG Management console. In Forefront TMG Enterprise Edition, you can configure configuration change tracking at the enterprise level. When you enable configuration change tracking on the enterprise, tracking is enabled on all arrays in the enterprise. Enterprise settings override array-level settings.

When you apply changes at both the array and enterprise level, two entries appear in the output; one showing the configuration change at the enterprise level, and the other showing the change at the array level.

The following describes:

Viewing configuration change tracking output

Configuring the change tracking feature

Entering a change description

Filtering and searching configuration changes

Viewing configuration change tracking output Each configuration change tracking output entry represents a single configuration change. Entries are sorted by date and time; the most recent first.

The following information is displayed in the results pane of the Change Tracking tab:

Time—The date and time of the configuration change.

User—The user name of the person who made the configuration change.

Change Summary—A system-generated description of the configuration

change in Forefront TMG.

Description—The change description that the user entered for the

configuration change.

Array-The name of the array in which the configuration change was made, or

the name of the enterprise if the change was made on the enterprise level

(Enterprise Edition only).

You can expand each entry to display more details..

http://technet.microsoft.com/en-us/library/dd897039.aspx#Filteringandsearchingconfigurationchanges

http://technet.microsoft.com/en-us/library/dd897039.aspx#Enteringachangedescription

http://technet.microsoft.com/en-us/library/dd897039.aspx#Configuringthechangetrackingfeature

http://technet.microsoft.com/en-us/library/dd897039.aspx#Viewingconfigurationchangetrackingoutput

Configuring the change tracking feature

You can configure the following for the change tracking feature:

Enable change tracking.

Specify a maximum number of entries in the change tracking log.

Require users who make configuration changes in the Forefront TMG

Management to specify a description that appears in the configuration change

tracking output.

To enable and configure change tracking1. In the Forefront TMG Management console, click the Troubleshooting node,

and then click the Change Tracking tab.

2. On the Tasks tab, click Configure Change Tracking.

3. To enable change tracking, select Enable change tracking.

Note:

To configure change tracking at the enterprise level, right-click the enterprise node, click Properties, and then click the Change Tracking tab from the Enterprise Properties dialog box.

4. To disable the change description prompt, clear the Prompt for a change

description when applying configuration changes check box. This option,

which is selected by default, enables users to add an optional change

description when making configuration changes in Forefront TMG Management.

5. To specify a maximum number of entries for the change tracking log, in the

Limit number of entries to box, enter the required number. It is

recommended that you do not configure a limit of more than 10,000, as this

may affect performance.

Note:

When the maximum number of entries is reached, the earliest entries are overwritten.

6. To view the entry in the configuration change tracking output, click Apply.

Entering a change description

If configuration change tracking is enabled, users who make configuration changes in Forefront TMG Management can enter an optional description for that change. This description appears in the configuration change tracking output.

To export the current configuration and a change description1. After you make configuration changes in Forefront TMG Management, when you

click Apply, the Configuration Change Description prompt appears,

enabling you to type a description of the change.

2. Before applying the change and change description, you can create a backup of

the existing configuration by exporting the configuration. To open the Export

Wizard, click Export. For Enterprise Edition, export backs up the entire

enterprise.

3. Click Apply. The required configuration change is saved, and the description is

applied to the change.

4. When the Saving Configuration Changes status dialog box appears, click OK.

The configuration changes are recorded to the change tracking output.

Filtering and searching configuration changes

Filter options are accessible at the top of the Change Tracking tab. You can filter the entries by user name and by content. You can also use the short key CTRL+F to search for entries.

To search for an entry1. In the User name contains box, enter the name of the user who performed

the configuration change.

2. In the Entry contains box, enter a keyword for the search.

Note:

You can filter by one or both options.

3. Click the Apply Filter button. The system executes a search; the results appear

in the Troubleshooting node on the Change Tracking tab.

4. To display more details, you can expand each entry in the output.

Simulating network traffic



The traffic simulator simulates network traffic in accordance with specified request parameters, and provides information about firewall policy rules that are evaluated for the request. This feature can help troubleshoot communication issues that users may have with the destination server (for example, when a user from the internal corporate network tries to access an Internet Web server but is denied access). The traffic simulator scans all of the published rules correlating with the scenario. The administrator can then check the results to determine how to resolve the issue. In

addition, this feature can verify the functionality of a new policy rule by testing traffic that is handled by the new rule.

The traffic simulator can be run from a remote management computer. The traffic simulator is run per array. You select the server within the array on which you want to run the traffic simulator.

Important:

The traffic simulator checks rules only on the basis of what is allowed or denied by the firewall engine. The traffic simulator is not aware of traffic that is blocked or allowed based on application filter settings, or HTTP filtering, which means that even if simulated traffic is allowed, real traffic may be blocked by a filter.

The following describes how to configure the traffic simulator, and how to simulate traffic scenarios.

Configuring the traffic simulator

The following lists the different firewall policy scenarios that can be simulated:

Web access—Simulates traffic handled by an access rule, by allowing or

denying Web access for clients making Web proxy requests.

Non-Web access—Simulates traffic handled by access rules, by allowing or

denying internal client requests for non-Web resources in other networks.

Web publishing—Simulates traffic from clients making requests to published

Web servers located on corporate networks (requests that are handled by Web

publishing rules in ISA Server).

Server publishing—Simulates traffic between clients and non-HTTP published

servers located on corporate networks (requests that are handled by server

publishing rules in Forefront TMG).

The results of the simulation for the configuration properties of the policy rules appear at the bottom of the screen. You can check any of the setting details in the following list to evaluate the cause of any network issues.

Setting Description

Rule Name Displays the name of the policy rule used by the request.

Rule Order Displays the order number of the rule. Rule ordering numbers are displayed in the details pane of the Firewall Policy node in Forefront TMG Management.

From Displays the source network from which the traffic is initiated.

To Displays the destination network to where the traffic is being sent.

Network Rule Name

Specifies the name of the network rule used.

Network Relationship

Specifies the network relationship in the policy rule as either network address translation (NAT) or Route.

Protocol Specifies the protocol used to establish the connection (for example, HTTP).

Rule Application Filters

Used by the application filter types defined in the published rule.

Simulating traffic scenarios

To run the traffic simulation, you must first configure the traffic scenario settings. The following procedures describe how to simulate traffic:

For Web proxy access to the Internet

For non-HTTP access connection

To a published Web server

To a non-HTTP published server

To simulate traffic for Web proxy access to the Internet 1. In the Forefront TMG Management console, in the Troubleshooting node, click

the Traffic Simulator tab.

2. In Simulation Scenarios, click Web access.

3. In Source Parameters, configure the source request settings.

4. Select if traffic is to be sent from an anonymous or authenticated user. For

authenticated users, in Namespace, select Windows or RADIUS.

5. In Destination Parameters, in the URL box, type the URL address of the

target site. If the rule is configured to apply to any domain, you can specify an

IP address or a URL.

6. In Server, select the server from which you are running the traffic simulator.

7. Click Apply diagnostic logging to simulated traffic to collect diagnostic

logging information for the simulation

8. Click Start.

9. If you selected Apply diagnostic logging to simulated traffic, click View

Log to view events related to the simulated scenario on the Diagnostic

Logging tab.

To simulate traffic for non-HTTP access connection1. In the Forefront TMG Management console, in the Troubleshooting node, click


2. In Simulation Scenarios, click Non-Web access.

3. In the IP address box, enter the network IP address of the source server.

4. In Destination/Source Parameters, configure the request settings.



logging information for the simulation.

7. Click Start.



Logging tab.

To simulate traffic to a published Web server1. In the Forefront TMG Management console, in the Troubleshooting node, click


2. In Simulation Scenarios, click Web publishing.

3. In Source Parameters, configure the source request settings.

4. In Destination Parameters, in the URL box, type the URL address of the

target site. If the rule is configured to apply to any domain, you can specify an

IP address or a URL.

Note:

The URL is the one published by Forefront TMG. The URL is specified on the Public Name tab. Forefront TMG must be able to resolve it to its external IP address; otherwise the simulation fails.




7. Click Start.



Logging tab.

To simulate traffic to a non-HTTP published server1. In the Forefront TMG Management console, in the Troubleshooting node, click


2. In Simulation Scenarios, click Server Publishing.

3. In the Destination/SourceParameters box, configure the request settings.




6. Click Start.



Logging tab.

Using diagnostic logging



Diagnostic logging tracks the behavior of policy components in Forefront TMG. Diagnostic logging enhances traditional log information by tracing the flow of a specific packet, reporting on packet progress and providing information about traffic handling and rule matching. You can configure and view diagnostic logging on the Diagnostic Logging tab of the Troubleshooting node in Forefront TMG Management. When diagnostic logging is enabled, it automatically logs events for firewall policy access and authentication issues.

The following topics provide information that can help you view the diagnostic events:

Viewing the diagnostic log

Filtering the diagnostic log

Configuring diagnostic logging


Troubleshooting the installation




This topic provides guidance for diagnosing and resolving installation issues you may encounter with Forefront TMG when:

Upgrading to Windows Server 2008 R2

Installing from a network drive

Group Policy enforces Windows Firewall

Tip:

For the complete flow of troubleshooting Forefront TMG installation problems, download the Troubleshooting Forefront TMG Services SuperFlow (http://go.microsoft.com/fwlink/?LinkID=182922) at the Microsoft Download Center.

Upgrading to Windows Server 2008 R2 If you installed Forefront TMG on a computer running Windows Server 2008, and you want to upgrade the operating system to Windows Server 2008 R2, you must perform a clean installation of Windows Server 2008 R2. The supported upgrade path is:

1. Export the Forefront TMG configuration.

2. Perform a clean installation (not an upgrade) of the new operating system.

3. Install Forefront TMG.

4. Import the Forefront TMG configuration.

Installing from a network drive If you are running the Performance Tool or Setup from a shared drive, make sure that the computer automatically reconnects to this drive after system restart. These two applications may require or initiate a restart, and failure to locate them after restart may result in a failed installation.

Group Policy enforces Windows Firewall When installing Forefront TMG on a computer that is joined to a domain with Group Policy object (GPO) enforcement of Windows Firewall, the installation will not complete successfully because Setup tries to disable the Windows Firewall. As a workaround, you can direct Setup to ignore this error by adding a flag to the Windows Registry, as follows:

1. Open the Windows Registry using the command regedit.

Tip:

It is recommended that you back up the registry before making any changes.

2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RAT\Stingray\

Debug\SETUP.

3. Right-click IGNORE_WINDOWS_FIREWALL_GPO_ENFORCEMENT, select

Modify, and change the Value data to 1.

Troubleshooting Web access protection



The following topics help you determine the cause and resolution of problems you might experience while using Forefront TMG Web access protection:

Troubleshooting URL filtering

Troubleshooting HTTPS inspection

Troubleshooting NIS

For a description of Forefront TMG Web access protection, see the Forefront TMG secure Web gateway solution guide.

http://technet.microsoft.com/en-us/library/ff358613.aspx

Unsupported Configurations



This topic summarizes common unsupported configurations and scenarios you may encounter when deploying and maintaining Forefront TMG. For each issue, possible causes are described, and solutions are suggested where applicable.

This topic is divided into these sections:

Installation issues

Array issues

ISP Redundancy issues

Network and routing issues

Dial-up issues

Load Balancing issues

VPN issues

Publishing issues

Protocol and application issues

Authentication issues

Installation issues

http://technet.microsoft.com/en-us/library/ee796231.aspx#AuthenticationIssues

http://technet.microsoft.com/en-us/library/ee796231.aspx#ProtocolAndApplicationIssues

http://technet.microsoft.com/en-us/library/ee796231.aspx#PublishingIssues

http://technet.microsoft.com/en-us/library/ee796231.aspx#VPNIssues

http://technet.microsoft.com/en-us/library/ee796231.aspx#NLBIssues

http://technet.microsoft.com/en-us/library/ee796231.aspx#DialupIssues

http://technet.microsoft.com/en-us/library/ee796231.aspx#NetworkAndRoutingIssues

http://technet.microsoft.com/en-us/library/ee796231.aspx#ISPRedundancyIssues

http://technet.microsoft.com/en-us/library/ee796231.aspx#ArrayIssues

http://technet.microsoft.com/en-us/library/ee796231.aspx#InstallationIssues

http://technet.microsoft.com/en-us/library/ff358613.aspx

This section describes the following installation issues, their causes, and solutions:

Forefront TMG is not supported on a 32-bit operating system

Forefront TMG is not supported on Windows Server 2003

Forefront TMG is not supported on all editions of Windows Server 2008

Installing EMS on a Forefront TMG computer is not supported

In-place upgrade from ISA Server 2004/2006 to Forefront TMG is not supported

In-place upgrade from Windows Server 2008 SP2 to Windows Server 2008 R2 is

not supported

Forefront TMG installed on a domain controller is not supported

Forefront TMG Client is not supported on Windows 2000

Forefront TMG does not support Firewall Client 2000

Workgroup deployment limitations

Multiple firewalls products

Forefront TMG is not supported on a 32-bit operating systemIssue: Installing Forefront TMG firewall or EMS role on a 32-bit operating system is blocked.

Cause: Forefront TMG firewall or EMS role will not install or run on a 32-bit operating system. Only the Forefront TMG Management console can be installed on a 32-bit operating system (Windows Server 2008 R2, Windows Server 2008 SP2, Windows 7, or Windows Vista SP1).

Solution: Install Forefront TMG on a 64-bit version of Windows Server 2008 SP2 or Windows Server 2008 R2. For more detailed information on installation requirements, see System requirements for Forefront TMG.

Forefront TMG is not supported on Windows Server 2003Issue: Installing Forefront TMG or Forefront TMG EMS on Windows Server 2003 is blocked.

Cause: Forefront TMG or Forefront TMG EMS will not install or run on Windows Server 2003.

Solution: Install Forefront TMG on a 64-bit version of Windows Server 2008 SP2 or Windows Server 2008 R2. For more detailed information on installation requirements, see System requirements for Forefront TMG.



http://technet.microsoft.com/en-us/library/ee796231.aspx#jhrth54

http://technet.microsoft.com/en-us/library/ee796231.aspx#kjdfg947jfht

http://technet.microsoft.com/en-us/library/ee796231.aspx#fgh564bndfg34sss

http://technet.microsoft.com/en-us/library/ee796231.aspx#fgh564dfg34sss

http://technet.microsoft.com/en-us/library/ee796231.aspx#rthrty5

http://technet.microsoft.com/en-us/library/ee796231.aspx#dfgbg56hr5

http://technet.microsoft.com/en-us/library/ee796231.aspx#dfgbg56hr5

http://technet.microsoft.com/en-us/library/ee796231.aspx#iigfyj76ty

http://technet.microsoft.com/en-us/library/ee796231.aspx#EMSonTMG

http://technet.microsoft.com/en-us/library/ee796231.aspx#dfsgcvmahw3de4tg

http://technet.microsoft.com/en-us/library/ee796231.aspx#gfh4564r43rewa88jte

http://technet.microsoft.com/en-us/library/ee796231.aspx#ForefrontTMGisnotsupportedona32bitversionofWindowsServer2008

Forefront TMG is not supported on all editions of Windows Server 2008Issue: Installing Forefront TMG or Forefront TMG EMS is not supported on all editions of Windows Server 2008.

Cause: The table below summarizes the editions of Windows Server 2008 that are supported.

Windows Server 2008

Core Installation

Web Edition

Foundation Edition

Standard Edition

Enterprise Edition

Datacenter Edition

Forefront TMG

No No No Yes Yes Yes

Forefront TMG EMS

No No Yes Yes Yes Yes

Forefront TMG Management

No Yes Yes Yes Yes Yes

Solution: Install Forefront TMG on a 64-bit version of Windows Server 2008 SP2 or Windows Server 2008 R2 taking the above information into consideration. For more detailed information on installation requirements, see System requirements for Forefront TMG.

Installing EMS on a Forefront TMG computer is not supportedIssue: Installing an Enterprise Management Server (EMS) on a computer with Forefront TMG already installed.

Cause: Running both Forefront TMG and an EMS from the same computer is not supported.

Solution: No workaround.

In-place upgrade from ISA Server 2004/2006 to Forefront TMG is not supportedIssue: In-place upgrade from ISA Server 2004/2006 to Forefront TMG is not possible.

Cause: Forefront TMG cannot be installed on the same operating system (Windows Server 2003) on which ISA Server runs, so in-place upgrade is not possible.

Solution: Perform a migration, as follows:



1. Export the ISA Server configuration settings and certificates.

2. Perform a clean installation of windows Server 2008 SP2 or Windows Server

2008 R2.


4. Import the configuration settings and certificates.

See Migrating from ISA Server 2004/2006 to Forefront TMG for more detailed information.

In-place upgrade from Windows Server 2008 SP2 to Windows Server 2008 R2 is not supportedIssue: Upgrading from Windows Server 2008 SP2 to Windows Server 2008 R2 is not supported.

Cause: Forefront TMG does not support upgrading to Windows 2008 R2 while Forefront TMG is installed.

Solution: Perform a migration, as follows:

1. Export the Forefront TMG configuration and certificates.

2. Perform a clean installation of Windows 2008 R2.


4. Import the configuration and certificates.

Warning:

Uninstalling Forefront TMG, and then upgrading to Windows 2008 R2, is also not supported.

Forefront TMG installed on a domain controller is not supportedIssue: Installing Forefront TMG or Forefront TMG EMS on a computer configured as an Active Directory domain controller is not supported.

Cause: This installation is blocked by the Forefront TMG installer.

Note:

Installing Forefront TMG Management console on a domain controller is supported.

Solution: Virtualization offers an alternative if both Forefront TMG and a domain controller must be on the same computer. For more information, see Forefront TMG

http://technet.microsoft.com/en-us/library/ee796231.aspx#fdge5445


support in a virtual environment and Security Considerations with Forefront Edge Virtual Deployments (http://go.microsoft.com/fwlink/?LinkId=178740)

Forefront TMG Client is not supported on Windows 2000Issue: Installing Forefront TMG Client is not supported on Windows 2000.

Cause: The following table summarizes the operating system support for Forefront TMG Client and other Firewall client software.

Forefront TMG Client

Firewall Client 2006



Windows 7 Yes Yes No No

Windows Server 2008

Yes Yes No No

Windows Vista Yes Yes No No

Windows Server 2003 SP1

Yes Yes Yes Yes

Windows XP Yes Yes Yes Yes

Windows 2000 No Yes Yes Yes

Solution: Install the Forefront TMG Client software on a supported operating system.

Forefront TMG does not support Firewall Client 2000Issue: Forefront TMG does not support Firewall Client 2000.

Cause: The following table summarizes the support between Forefront TMG, ISA Server and their Clients.

Forefront TMG

ISA Server 2006

ISA Server 2004

ISA Server 2000

Forefront TMG Client

Yes Yes Yes No

http://go.microsoft.com/fwlink/?LinkId=178740




Yes Yes Yes Yes


Yes Yes Yes Yes


No Yes Yes Yes

Solution: Deploy a supported Client. It is recommended that you use Forefront TMG Clients together with Forefront TMG for best performance and added functionality.

Workgroup deployment limitationsIssue: A number of limitations are associated with deploying Forefront TMG within a workgroup environment and not within a domain.

Cause: Certain features are not supported when Forefront TMG is deployed within a workgroup environment, as follows:

Forefront TMG deployed in a workgroup:

Domain-based user authentication cannot be applied to an array.

Client certificates cannot be used as primary authentication.

User mapping is not supported (except for PAP and SPAP).

Forefront TMG Clients deployed in a workgroup:

Automatic Web proxy detection using Active Directory Auto Discover is not

possible.

Group policy deployment of the HTTPS inspection trusted root certification

authority (CA) certificate to client computers is not possible.

Forefront TMG EMS deployed in a workgroup:

EMS replication is not supported.

For more information, see Workgroup and domain considerations.

Multiple firewall productsInstalling other firewall products (such as a personal host firewall) on a Forefront TMG computer is not supported. Attempting to create a layered firewall deployment on a single server by adding additional firewall products will result in unpredictable behavior, and may cause the server to fail.


Note:

A number of antivirus products may also install some firewall components, such as worm protection, which can result in unpredictable behavior.

Array issues

This section describes the following Forefront TMG array issues, their causes, and solutions:

An array of Forefront TMG servers with different operating systems is not

supported

Forefront TMG and ISA Server cannot coexist in the same enterprise or array

Forefront TMG does not support firewall chaining

An array of Forefront TMG servers with different operating systems is not supportedIssue: An array that contains some Forefront TMG servers with Windows Server 2008 SP2 installed, and other Forefront TMG servers with Windows Server 2008 R2 installed, is not supported.

Cause: All the Forefront TMG servers in an array must have the same operating system, either Windows Server 2008 SP2 or Windows Server 2008 R2. This is especially significant when performing upgrading the array to Window Server 2008 R2.

Solution: You must build a new array and then migrate each Forefront TMG server to the new array (after each one completes the Windows Server 2008 R2 and then Forefront TMG installations).

Forefront TMG and ISA Server cannot coexist in the same enterprise or arrayIssue: Forefront TMG and ISA Server cannot operate as members of the same array or enterprise.

Cause: Forefront TMG and ISA Server require different configuration schema and settings, and cannot be simultaneously controlled by a single array manager.


Forefront TMG does not support firewall chainingIssue: Forefront TMG does not support firewall chaining.

Cause: Firewall chaining has been deprecated and is no longer supported by Forefront TMG.

Solution: Configure your downstream servers as SecureNAT clients of the upstream server, or use Web chaining.

http://technet.microsoft.com/en-us/library/ee796231.aspx#j56ej5ej56j

http://technet.microsoft.com/en-us/library/ee796231.aspx#jj5ejee6uy5

http://technet.microsoft.com/en-us/library/ee796231.aspx#dfgh5878

http://technet.microsoft.com/en-us/library/ee796231.aspx#dfgh5878

ISP Redundancy issues

This section describes the following ISP Redundancy issues, their causes, and solutions:

ISP redundancy does not support more than two external interfaces

Forefront TMG does not support more than two default gateways

Multiple DHCP default gateways are not supported

ISP redundancy does not support e-mail protection

Protocol-based load balancing is not supported with ISP redundancy feature

ISP redundancy does not support more than two external interfacesIssue: Forefront TMG does not support more than two external connections to Internet Service Providers (ISPs).

Cause: Forefront TMG can support only two external connections with the ISP Redundancy feature.

Solution: No workaround. There are a number of third-party products that may provide a solution. For more information, see High Availability and Load Balancing on the Windows Server System Web site (http://go.microsoft.com/fwlink/?linkid=179985).

Forefront TMG does not support more than two default gatewaysIssue: No support for more than two default gateways.

Cause: Forefront TMG does not support more than two default gateways configured on the same network adapter (within different subnets), or on two different adapters (one default gateway per adapter). Using more than one default gateway is only supported for the ISP Redundancy feature.

Solution: To enable ISP redundancy, set the default gateway on each of the Forefront TMG network adapters to a different ISP. If only one network adapter is available, it is possible to set two default gateways, as long as each default gateway is in a different subnet.

Multiple DHCP default gateways are not supportedIssue: Forefront TMG does not support configuring the ISP redundancy feature when your ISPs only support DHCP-assigned addressing.

Cause: Windows Server 2008 does not support multiple default gateways in DHCP-assigned links.

Solution: Manually add both default gateways to the routing table on Forefront TMG.

http://go.microsoft.com/fwlink/?linkid=179985

http://technet.microsoft.com/en-us/library/ee796231.aspx#yyyyyr554r

http://technet.microsoft.com/en-us/library/ee796231.aspx#dfg657g6ee

http://technet.microsoft.com/en-us/library/ee796231.aspx#l8t78klr67

http://technet.microsoft.com/en-us/library/ee796231.aspx#iiii76rfi

http://technet.microsoft.com/en-us/library/ee796231.aspx#dghjdt6765e7

ISP redundancy does not support e-mail protectionIssue: When e-mail protection using Forefront Protection for Exchange (FPE) is used in Forefront TMG, the e-mail traffic will not fail over to an alternate ISP link even if the ISP redundancy functionality is configured in Forefront TMG.

Cause: The ISP redundancy feature requires a NAT relationship with the external network in order to fail over the connection to an alternate ISP. SMTP listeners on the external NIC cannot take advantage of the ISP redundancy functionality as there is no address translation in mail traffic.

Solution: No solution. To take advantage of the ISP redundancy functionality, use the SMTP publishing feature to publish the internal SMTP servers.

Protocol-based load balancing is not supported with the ISP redundancy featureIssue: Forefront TMG cannot distribute traffic based on the protocol that is used (for example, HTTP through one link and SMTP through the other).

Cause: Protocol-based load balancing is not supported with the ISP redundancy feature.


Network and Routing issues

This section describes the following network and routing issues, their causes, and solutions:

Forefront TMG does not support defining networks that represent remote

subnets

Configuring intradomain communications with a NAT relationship

Internationalized Domain Names are not supported

Domain names that include wildcard characters are not supported with link

translation enabled

Configuring Forefront TMG with a single network adapter

Protocol based Enhanced NAT is not supported

Forefront TMG does not support defining separate network objects that represent remote subnetsIssue: Forefront TMG does not support defining separate network objects that represent remote subnets.

Cause: When you define IP address ranges for a network, Forefront TMG checks all network adapters. When Forefront TMG finds an adapter with an IP address in the

http://technet.microsoft.com/en-us/library/ee796231.aspx#l1k2j3h

http://technet.microsoft.com/en-us/library/ee796231.aspx#hhht4sdarg4

http://technet.microsoft.com/en-us/library/ee796231.aspx#l8t7ui89or67

http://technet.microsoft.com/en-us/library/ee796231.aspx#l8t7ui89or67

http://technet.microsoft.com/en-us/library/ee796231.aspx#l8t7e8erwft4klr67

http://technet.microsoft.com/en-us/library/ee796231.aspx#u6u75hre56y45

http://technet.microsoft.com/en-us/library/ee796231.aspx#lyrf7867

http://technet.microsoft.com/en-us/library/ee796231.aspx#lyrf7867

network range, it associates the network with that adapter. When a network includes remote subnets accessible by Forefront TMG through routers, the IP address of the remote subnets should be included in the network definition. If you define a separate network object for a remote subnet (instead of including it in the network definition), Forefront TMG tries to locate an adapter with an IP address of the network object, and fails. Forefront TMG assumes that the adapter is not available (disconnected or disabled), and sets network status to disconnected.

Solution: For best practice when defining your network configuration in Forefront TMG, take note of the following:

Include all network ranges for subnets in a network object’s properties (for

example, include subnet IP addresses in the IP address range for the internal

network).

Apply rules to specific subnets by creating subnet objects in the Toolbox, and

then using these subnet objects to specify the source and destination in access

rules.

Configuring intradomain communications with a NAT relationshipIssue: Forefront TMG does not support intradomain communications between networks with a network address translation (NAT) relationship.

Cause: There may be some circumstances in which you want to allow communication between domains or domain members that are separated by Forefront TMG. Typical scenarios include:

A Web server located in the perimeter network that is a member of the internal

domain needs to contact the domain controller in the internal network.

Applications or servers located in the perimeter network need to be accessed by

internal clients.

Perimeter domain controllers require a domain trust relationship to a domain in

another network.

Solution: If the networks use a NAT relationship, there is no workaround. If networks have a route relationship, you can work around this issue by ensuring that all traffic to/from internal and remote subnet hosts are routed correctly through Forefront TMG.

Create routes on internal devices so that traffic destined for other networks is

routed through Forefront TMG. This is done either on the clients themselves,

where they are on the same subnet as Forefront TMG, or on the relevant router

in your network infrastructure.

If you want to support requests from SecureNAT clients, specify the Forefront

TMG interface as the default route for those clients.

Internationalized Domain Names are not supportedIssue: Forefront TMG does not support the use of IDN (Internationalized Domain Name) URLs.


Domain names that include wildcard characters are not supported with link translation enabledIssue: Forefront TMG does not support the use of wildcard characters in the domain name when link translation is enabled; for example, *.microsoft.com is not permitted.

Cause: When link translation is enabled, the rule must specify an explicit public domain name. Domain names including wildcard characters are therefore not allowed.

Solution: Do one of the following:

Disable link translation on the Link Translation tab of the Web publishing rule

properties.

In the Public Name tab, specify each Web site to which the rule will apply,

rather than using a wildcard. For example, use www.microsoft.com and

mail.microsoft.com, not *.microsoft.com.

Configuring Forefront TMG with a single network adapterIssue: A number of issues are associated with the configuration of Forefront TMG on a computer with a single network adapter.

Cause: In single network adapter mode, Forefront TMG recognizes itself as the Local Host network, and everything else is recognized as the internal network. There is no concept of an external network.

Multi-network firewall policy—Application level filters operate only in the

context of the Local Host network (Forefront TMG protects itself no matter what

network template is applied). You can use access rules to allow non-Web

protocols to and from the Forefront TMG computer only.

Application layer inspection—Application filtering is limited to the Web Proxy

Filter and associated Web filters, which provides application layer inspection for

Hypertext Transfer Protocol (HTTP), Secure HTTP (HTTPS), and File Transfer

Protocol (FTP) over HTTP for Web Proxy clients only.

E-mail protection—E-mail protection features are not supported. A single

network adapter includes the entire network and all of its IP addresses, and this

poses a problem when Forefront TMG tries to configure routing for the

connectors and set their allowed remote ranges.

Server publishing—Server publishing is not supported. No external network

context means that Forefront TMG cannot provide the NAT functionality required

in a server publishing scenario.

Forefront TMG Clients—The Forefront TMG Client application forwards

requests from Winsock to the Forefront TMG Firewall service. In a single network

adapter environment with no external network context, Forefront TMG is unable

to NAT or route this traffic.

SecureNAT clients—SecureNAT clients use Forefront TMG as a router to other

networks. In a single network adapter environment this is a single-network

context, so Forefront TMG is unable to NAT or route this traffic.

Virtual private networking—Site-to-site virtual private networks (VPNs) are

not supported in a single network adapter scenario.

Solution: Redeploy Forefront TMG with at least 2 network cards using the Edge, Back Firewall or 3-leg perimeter network topology design. For more information, see the topics: Planning Forefront TMG network topology and About single network adapter topology.

Protocol based enhanced NAT is not supportedIssue: Forefront TMG cannot assign NAT IP addresses based on the protocol used (for example, HTTP traffic is assigned one IP address and SMTP another).

Cause: Protocol based enhanced NAT is not supported.


Dial-Up issues

This section describes the following dial-up issues, their causes, and solutions:

Forefront TMG overwrites Routing and Remote Access settings

Dial-up limitations for non-VPN connections

Forefront TMG overwrites Routing and Remote Access settingsIssue: Routing and Remote Access settings are overwritten by Forefront TMG. Demand-dial interfaces created with Routing and Remote Access are deleted.

Cause: Remote access settings must be specified using Forefront TMG Management. Any demand-dial interfaces created or modified using Routing and Remote Access that do not match networks in Forefront TMG are overwritten and deleted by Forefront TMG.

http://technet.microsoft.com/en-us/library/ee796231.aspx#sergset4edrt6

http://technet.microsoft.com/en-us/library/ee796231.aspx#hbsdfghserrty5

http://technet.microsoft.com/en-us/library/ee191507.aspx



Note the following limitations when creating demand-dial interfaces using the VPN Wizard:

Forefront TMG does not support the assignment of a persistent connection, so

any persistent connections you assign in Routing and Remote Access are

deleted. This may be an issue if you want a VPN connection to configure

automatically when the server comes online, rather than waiting for traffic to

trigger the interface to dial.

Forefront TMG does not allow creation of multiple VPN connections to a

particular network using different metrics. Such functionality allows more than

one route to a particular network, so that if a primary route goes down, a

backup route with different metrics is available.

Forefront TMG does not allow you to disable or enable specific services or

network components on a specific VPN interface.

You cannot configure the number of redial attempts that the VPN connection

makes.

Forefront TMG does not allow modem demand-dial interfaces.

Solution: For more information about solutions, see Knowledge Base article KB842639 (http://go.microsoft.com/fwlink/?linkid=51103).

Dial-up limitations for non-VPN connectionsIssue: Forefront TMG supports dial-up connections to the Internet or a remote network using a modem connection or a virtual private network (VPN) connection. A number of limitations are associated with a non-VPN connection:

1: You can only configure automatic dialing for a non-VPN dial-up connection on one network.

Solution: If automatic dialing is used to connect directly to the Internet, select the external network for the automatic dial-up connection. You can also configure automatic dialing to connect to a branch office, or to a specific location in your organization.

2: Forefront TMG does not support customized routes. For example, if Forefront TMG dials a non-VPN connection to a remote network that is not the default gateway, this requires a custom route to the remote network. Forefront TMG overwrites Routing and Remote Access settings with its own settings. Forefront TMG creates and controls Point-to-Point Tunneling Protocol (PPTP) over Layer Two Tunneling Protocol (L2TP) interfaces, overwriting changes made in Routing and Remote Access. If modem connections are created in Routing and Remote Access, Forefront TMG deletes them.


Solution: You can use Routing and Remote Access to add a demand-dial interface for the connection and create a static route for the connection.

3: Forefront TMG uses the local domain table (LDT) to determine whether a request is to an internal computer (in the LDT) and whether dialing out is required. There may be an issue with connections being constantly dialed if clients make a dial-up request for a URL that is not defined in the LDT.

Solution: You can control whether the dial-up connection is dialed for DNS purposes. For more information, see Knowledge Base article KB901109 (http://go.microsoft.com/fwlink/?linkid=54622).

Load balancing issues

This section describes the following load balancing issues, their causes, and solutions:

NLB is not supported in Forefront TMG Standard Edition

Load balancing is not supported with Forefront TMG Clients or ISA Firewall

Clients

NLB is not supported in Forefront TMG Standard EditionIssue: Network Load Balancing on Forefront TMG Standard Edition is not supported.

Cause: Forefront TMG Standard Edition cannot operate in a multi-server array, so integrated NLB is not possible. Consequently, multiple Standard Edition servers operating in an NLB cluster cannot be peer-aware. Management and maintenance of such a deployment is too difficult to be supportable.

Solution: No workaround. To obtain support for NLB with Forefront TMG you must use the Enterprise version.

Load balancing is not supported with Forefront TMG Clients or ISA Firewall ClientsIssue: Client machines running Forefront TMG Clients or ISA Firewall Clients may have issues connecting to an array of Forefront TMG servers with any type of load balancing configured on the related Forefront TMG network.

Cause: Load balancing (either integrated or using an external load balancer) is not supported together with Forefront TMG Clients or ISA Firewall Clients.

Solution: Instead of using a load balancer, use DNS round robin to point the clients to the Forefront TMG array member’s dedicated IP addresses.

VPN issues

This section describes the following virtual private network (VPN) issues, their causes, and solutions:

http://technet.microsoft.com/en-us/library/ee796231.aspx#bnmjr5r58uhhh

http://technet.microsoft.com/en-us/library/ee796231.aspx#bnmjr5r58uhhh

http://technet.microsoft.com/en-us/library/ee796231.aspx#srfghdfgh5


DHCP address allocation for VPN remote clients not supported in a Forefront

TMG array

IP filters configured on Network Policy Server not supported

VPN User mapping issues

Outbound L2TP connections are not supported by Forefront TMG configured as

an L2TP/IPsec VPN server

DHCP address allocation for VPN remote clients not supported in a Forefront TMG arrayIssue: Using a Dynamic Host Configuration Protocol (DHCP) server to assign IP addresses for VPN remote clients is only available in a single server Forefront TMG array.

Cause: This option is only available in Forefront TMG Standard Edition, or in Forefront TMG Enterprise Edition with a single array member. This limitation applies when an array consists of more than one member and NLB is disabled, because there is no way to guarantee DHCP address allocation across the array members.

Solution: Use static pool address assignment whenever there are multiple array members.

IP filters configured on Network Policy Server not supportedIssue: Noncompliant computers cannot access the remediation servers when IP filters have been properly configured as part of the NPS deployment.

Cause: Forefront TMG does not support IP filters defined by Network Policy Server (NPS) policies.

Solution: To allow noncompliant NAP clients to access one or more remediation servers, create an access rule on the Forefront TMG server from the Quarantined VPN Clients network to the appropriate remediation servers.

VPN User mapping issuesIssue: Do not enable user mapping when using Challenge Handshake Authentication Protocol (CHAP), Microsoft Challenge Handshake Authentication Protocol (MS-CHAP), MS-CHAP version 2, or any type of Extensible Authentication Protocol (EAP) authentication, if Forefront TMG and the Remote Authentication Dial-In User Service (RADIUS) server are in different domains, or one of them is in a workgroup. When you configure VPN remote client access, VPN client properties include the User Mapping tab. In these scenarios, user mapping is only supported for Password Authentication Protocol (PAP) and Shiva Password Authentication Protocol (SPAP) authentication methods.

Cause: You select Enable User Mapping to map VPN remote users connecting with non-Active Directory service credentials (such as a RADIUS user) to Windows accounts. This feature enables you to apply access rules that use Windows groups and users to

http://technet.microsoft.com/en-us/library/ee796231.aspx#yydffg4

http://technet.microsoft.com/en-us/library/ee796231.aspx#yydffg4

http://technet.microsoft.com/en-us/library/ee796231.aspx#uuj45rt344t6dr

http://technet.microsoft.com/en-us/library/ee796231.aspx#l8vwft4vdvdf4r67

http://technet.microsoft.com/en-us/library/ee796231.aspx#gdfg45efg457y6h

http://technet.microsoft.com/en-us/library/ee796231.aspx#gdfg45efg457y6h

apply to other users. When RADIUS is authenticated with CHAP, MS-CHAP, MS-CHAP version 2, or any type of EAP, the domain specified in the user mapping is used to match the VPN client to a mirrored Active Directory account. When PAP or SPAP is used, the domain name is always ignored, and the VPN client can be matched to an Active Directory account in the local domain in which Forefront TMG is a domain member, or to a local user account on the Forefront TMG computer in a workgroup configuration.

Solution: To use CHAP, MS-CHAP, MS-CHAP version 2, or EAP, make Forefront TMG a domain member.

Outbound L2TP connections are not supported by Forefront TMG configured as an L2TP/IPsec VPN serverIssue: Outbound L2TP connections are not supported when Forefront TMG is configured as a VPN server that uses the L2TP/IPsec protocol.

Cause: By default the following settings apply:

Network address translation (NAT) is applied to outbound traffic from the

internal, VPN Clients, and Quarantine VPN Clients networks to the external

network.

When Forefront TMG is configured as a VPN server that uses the L2TP/IPsec

protocol, traffic to and from the L2TP protocol port (UDP port 1701) is secured

by IPsec.

With these default settings, the outbound L2TP client request is sent from the NAT address (usually the address of the Forefront TMG external network adapter) and the external VPN server responds to this address. Forefront TMG does not forward the L2TP traffic from the external VPN server to the client because no matching IPsec policy exists.

Solution: Use PPTP for outbound VPN connections, or do not use the L2TP/IPsec protocol when Forefront TMG is configured as a VPN server.

Publishing issues

This section describes the following publishing issues, their causes, and solutions:

Customization of HTML form pages for additional functionality is not supported

Active-Directory-based Web proxy detection is not supported by firewall clients

Port numbers appended to host headers

Multiple server certificates not supported for a single SSL listener

http://technet.microsoft.com/en-us/library/ee796231.aspx#we44tetet

http://technet.microsoft.com/en-us/library/ee796231.aspx#dffdh56

http://technet.microsoft.com/en-us/library/ee796231.aspx#dsfv8276lk54jk65

http://technet.microsoft.com/en-us/library/ee796231.aspx#wssdgbht5

Customization of HTML form pages for additional functionality is not supportedIssue: It is possible to customize HTML forms used on Forefront TMG for additional functionality beyond their intended usage, but such customization is not supported.

Cause: Customizing the existing functionality of Forefront TMG HTML pages (for example, changing the error messages or using a custom logo) is encouraged and supported. However, the degree that any HTML page can be customized is very extensive, so any customization to Forefront TMG HTML pages with the intention to add additional functionality, which goes beyond the scope of intended use, is not supported.

Solution: If issues arise as a result of such customization of the Forefront TMG HTML pages, the original files should be restored. For more information on what customization is supported and how to implement the changes, see the topics Customizing HTML forms and Customizing HTML error messages in Forefront TMG.

Active-Directory-based Web proxy detection is not supported by ISA Firewall clientsIssue: ISA Firewall clients cannot automatically detect the Web proxy via Active Directory.

Cause: Active-Directory-based Web proxy detection is only supported on Forefront TMG Clients.

Note:

Active-Directory-based Web proxy detection is not supported by clients in a workgroup environment; Forefront TMG Clients must be members of a domain.


Port numbers appended to host headersIssue: When a publishing configuration requires redirection to a different port number, Forefront TMG appends the port number to the host header. For example:

If you listen for Web requests on port 81, and the Web publishing rule for

www.contoso.com sends requests to domain.site.internal, which is listening on

port 80, the host header sent to domain.site.internal will be

www.contoso.com:81.

In an HTTPS-to-HTTP bridging scenario, you publish a Web site over a Secure

Sockets Layer (SSL) connection; the host header is forwarded to the back-end

Web server as <hostheader>:443.

This behavior may be an issue where Web applications build links that are dynamically based on the host header.



Cause: This is by design for the link translation functionality of Forefront TMG.

Solution: There are three possible solutions:

Add a mapping to the link translation dictionary to replace www.contoso.com:81

with www.contoso.com. In this case, the host header in the request will be

changed to www.contoso.com.

Disable the option to forward the original host header to the server, and enable

link translation (without making any addition to the dictionary). In this case, the

server will build links according to the internal name. Forefront TMG will use link

translation to translate all internal links to the external name (including the port

number).

Use the script discussed in Knowledge Base article KB925287

(http://go.microsoft.com/fwlink/?LinkId=179984).

Multiple server certificates not supported for a single SSL listenerIssue: Only one SSL server certificate can be bound to a Web listener.

Cause: Windows Schannel only allows a single certificate to be associated with a network listener.

Solution: To publish multiple SSL sites using the same IP address and port (listener), where all sites published use the same domain namespace, you can use a wildcard character certificate or a SAN certificate. For example, to publish sites OWA, WebSite1, and WebSite2 at contoso.com, you can acquire a wildcard character certificate (*.contoso.com) for Forefront TMG. Note that Forefront TMG only supports wildcard character certificates that are located on the Forefront TMG itself. In an HTTPS-to-HTTPS bridging scenario, you cannot use a wildcard character certificate to authenticate to the back-end Web server.

Protocol and Application issues

This section describes the following protocol and application issues, their causes, and solutions:

RPC-over-HTTP traffic inspection limitations

Live Communications Server not supported on the Forefront TMG computer

Forefront TMG does not support SIP traffic from an OCS server

Forefront TMG does not support CNG certificates

HTTPS inspection limitations

http://technet.microsoft.com/en-us/library/ee796231.aspx#u56fdssd

http://technet.microsoft.com/en-us/library/ee796231.aspx#dfg9o9i8uuy6tre

http://technet.microsoft.com/en-us/library/ee796231.aspx#fdh5yt54eyfghfghrt

http://technet.microsoft.com/en-us/library/ee796231.aspx#gg45err

http://technet.microsoft.com/en-us/library/ee796231.aspx#gergre4g


Forefront TMG does not support range requests

Secure FTP support

FTP limitations for Web Proxy clients

Forefront TMG does not support Routing Protocols

Colocating Remote Installation Services with Forefront TMG

Forefront TMG support in a virtual environment

Forefront TMG does not support IPv6 traffic

WCCP, ICP and ICAP protocols are not supported in Forefront TMG

RPC over HTTP traffic inspection limitationsIssue: RPC over HTTP traffic encrypts the RPC data in HTTP and is not inspected by the RPC filter.

Cause: The RPC filter cannot inspect RPC over HTTP traffic because:

Forefront TMG application filters cannot be chained to each other and Web

filters cannot pass traffic to application filters.

The RPC filter expects RPC communications to begin on the RPC endpoint

mapper (TCP:135), and so it cannot protect against RPC exploits reaching an

Exchange server.

Note:

1. In outbound scenarios, RPC over HTTP requests may be SSL-tunneled, so

HTTP inspection cannot occur following the initial CONNECT request unless

HTTPS inspection is enabled.

2. NIS inspection still recognizes RPC within HTTP and performs behavioral and

vulnerability filtering of the RPC traffic.

Solution: Deploy RPC over HTTP with these limitations in mind.

Live Communications Server not supported on the Forefront TMG computerIssue: Running Live Communications Server on the Forefront TMG computer is not supported.

Cause: This is an untested scenario.

http://technet.microsoft.com/en-us/library/ee796231.aspx#dsfg43sdfv

http://technet.microsoft.com/en-us/library/ee796231.aspx#bvdf45dsf45


http://technet.microsoft.com/en-us/library/ee796231.aspx#hrtye45

http://technet.microsoft.com/en-us/library/ee796231.aspx#a4te4tert4

http://technet.microsoft.com/en-us/library/ee796231.aspx#t4t4e4t

http://technet.microsoft.com/en-us/library/ee796231.aspx#dzf4ete4t

http://technet.microsoft.com/en-us/library/ee796231.aspx#vcfg54fw


Forefront TMG does not support SIP traffic from an OCS serverIssue: Office Communicator SIP calls from an OCS server cannot pass through the Forefront TMG SIP filter.

Cause: OCS uses TLS for SIP traffic. The SIP filter in Forefront TMG cannot parse the TLS traffic.

Solution: No workaround. Solutions for OCS are provided by Security and Compliance Partners (http://go.microsoft.com/fwlink/?LinkId=179985).

Forefront TMG does not support CNG certificatesIssue: Forefront TMG does not support the use of certificates created using CNG (Certificate New Generation) based templates for Web listeners or as client certificate authentication in Web publishing or Web chaining rules.

Cause: CNG certificates are not usable by Forefront TMG.

Workaround: Create certificates using Windows 2000 or Windows 2003 templates.

HTTPS Inspection limitationsIssue: There are a number of limitations you should be aware of when enabling the HTTPS Inspection feature on Forefront TMG.

Cause: The following features are not supported:

Extended Validation (EV) SSL certificates.

Connections to external SSTP servers.

CNG certificates.

Servers that require client certificate authentication.

Solution: To bypass a limitation, you must exclude the specific site from HTTPS inspection.

Forefront TMG malware inspection does not support range requestsIssue: Forefront TMG strips off the range header when the malware inspection feature is enabled. Microsoft Update, download manager applications, Windows Media, and Adobe Reader, are examples of potentially affected client applications.

Cause: The Forefront TMG malware inspection filter is not designed to assemble a file from multiple pieces that are retrieved out of order. When malware inspection is enabled, range headers are stripped from requests before being passed by Forefront TMG to the upstream server.

Solution: To work around this limitation do one of the following:



Add the site to the Destination Exceptions list for malware inspection settings.

Create an access rule that allows traffic to the selected destinations and does not apply malware inspection.

Secure FTP supportIssue: Forefront TMG does not support secure File Transfer Protocol (FTP).

Cause: Secure FTP uses an encrypted control channel between the FTP client and server. After the FTP client and server establish an encrypted control channel, the Forefront TMG FTP filter cannot see the FTP commands and so cannot create the dynamic policy changes that are necessary to fully support FTP communications.

Solution: There is an unsupported workaround available that allows you to publish secure FTP. For more information, see Publishing Secure FTP Servers behind ISA Firewalls at the ISAserver.org Web site (http://go.microsoft.com/fwlink/?linkid=51105).

FTP limitations for Web Proxy clientsIssue: The following limitations apply:

Web Proxy client FTP requests are passed over HTTP, and do not allow any

action that would change the content or structure of the FTP server. Therefore

you cannot use FTP upload from a Web Proxy client, and only FTP downloads are

supported.

To access FTP sites that require authentication, credentials should be specified

in the address bar using the following format:

ftp://username:password@FTP_Server_Name.

By default, Forefront TMG uses PASV mode for FTP requests.

Solution: There is no workaround for these limitations at this time. For more information about troubleshooting outgoing FTP access, see Troubleshooting Outbound FTP (http://go.microsoft.com/fwlink/?LinkId=88856).

Forefront TMG does not support routing ProtocolsIssue: Forefront TMG is not a router and does not directly support routing protocols such as Border Gateway Protocol (BGP), Routing Information Protocol (RIP) or Open Shortest Path First (OSPF).

Cause: Forefront TMG has no built-in support for these dynamic routing protocols.


Colocating Remote Installation Services with Forefront TMGIssue: When Forefront TMG is installed, Remote Installation Services (RIS) takes an extreme length of time to deploy an image.




Cause: RIS uses Trivial File Transfer Protocol (TFTP). Forefront TMG has a predefined protocol for TFTP, with a secondary connection defined as all User Datagram Protocol (UDP) ports, but this will only work when the Forefront TMG Client is installed on the client computer.

Solution: Use the following workaround:

Open the complete range of UDP ports from the client to the TFTP server.

Open the complete range of UDP ports from the TFTP server to the client.

Forefront TMG support in a virtual environmentForefront TMG is supported on hardware virtualization in accordance with the following programs:

Microsoft Support Lifecycle.

Forefront TMG system requirements.

Microsoft Server Virtualization Validation Program (SVVP).

Support Policy for Microsoft software running on non-Microsoft hardware

virtualization software.

For example, if a hardware virtualization platform is listed as ”validated” with the SVVP (not “under evaluation”), Forefront TMG will be supported for production use on that platform within the limits prescribed in the Microsoft Product Support Lifecycle, non-Microsoft hardware virtualization policies, and the system requirements for that product version and edition.

For hardware virtualization platforms not listed with the SVVP, Forefront TMG is supported in accordance with remaining Microsoft support policies, limited as follows:

Desktop virtualization, such as Microsoft Virtual PC or a similar 3rd-party

product is supported for demonstration and educational use only.

Server Virtualization, such as Microsoft Virtual Server or a similar 3rd-party

product, is supported, but not recommended for production use.

Important:

Microsoft support engineers may request that a customer reproduce a reported problem on real hardware or within an SVVP-listed hardware virtualization platform, before continuing with the case. If the problem cannot be reproduced in hardware or on a SVVP-listed server virtualization product of similar class, the case may be deferred to the 3rd-party vendor product support.

Tip:

For more information and best practices on edge virtualization, read Security Considerations with Forefront Edge Virtual Deployments (http://go.microsoft.com/fwlink/?LinkId=178740).

Forefront TMG does not support IPv6 trafficIssue: IPv6 traffic is not supported by Forefront TMG (except for DirectAccess).

Cause: Filtering of IPv6 traffic is not supported, and all IPv6 traffic is blocked by default.

Solution: It is recommended that you disable IPv6 traffic on the Forefront TMG computer or array members. To disable the IPv6 stack on the Forefront TMG computer or array member, see Knowledge Base article KB929852 (http://go.microsoft.com/fwlink/?LinkId=179983).

WCCP, ICP and ICAP protocols are not supported in Forefront TMGIssue: The Web Cache Communication Protocol (WCCP), the Internet Cache Protocol (ICP), and the Internet Cache Adaption Protocol (ICAP), are not supported in Forefront TMG.

Cause: This functionality does not exist in Forefront TMG.


Authentication issues

This section describes the following authentication issues, their causes, and solutions:

NTLM authentication issues in a chained Web proxy scenario

Kerberos authentication issues in a chained Web proxy scenario

Issues with clients authenticating on both downstream and upstream servers in

a chained Web proxy scenario

Web Proxy SSL Connections are only supported for chained proxy connections

Forefront TMG access rules cannot authenticate based on a computer account

LDAP authentication in Forefront TMG

NTLM authentication issues in a chained Web proxy scenarioIssue: You may experience problems such as unexpected delays, incomplete pages, or random authentication warning messages, when you browse the Web in a chained configuration. This can occur when the following conditions are true:

http://technet.microsoft.com/en-us/library/ee796231.aspx#rth54gh

http://technet.microsoft.com/en-us/library/ee796231.aspx#y45y45y

http://technet.microsoft.com/en-us/library/ee796231.aspx#v54tevg

http://technet.microsoft.com/en-us/library/ee796231.aspx#bn78y7sdf6y6fg6t

http://technet.microsoft.com/en-us/library/ee796231.aspx#bn78y7sdf6y6fg6t

http://technet.microsoft.com/en-us/library/ee796231.aspx#bn78y76y6fg6t

http://technet.microsoft.com/en-us/library/ee796231.aspx#y56u5u66y




The downstream Forefront TMG computer is configured to require integrated

(NTLM) authentication.

No authentication is required (anonymous) on the upstream Web proxy server.

Internet Explorer is the client browser.

Cause: Internet Explorer may send an extraneous NTLM authentication header on a connection that has already been authenticated using integrated authentication with the downstream Forefront TMG computer.

Solution: For details on this behavior and workarounds, see the following Knowledge Base articles:

KB883285 (http://go.microsoft.com/fwlink/?linkid=54626).

KB810561 (http://go.microsoft.com/fwlink/?linkid=54627).

Kerberos authentication issues in a chained Web proxy scenarioIssue: When a client tries to authenticate with the upstream server, authentication fails if the client tries to use Kerberos authentication. This can occur when the following conditions are true:

You configure an upstream Forefront TMG that requires Kerberos authentication.

You configure a downstream Forefront TMG that does not require authentication

(anonymous).

Cause: When the upstream Forefront TMG requests authentication, the client computer obtains a Kerberos ticket for the downstream server. This Kerberos ticket is valid for authentication with the downstream Forefront TMG. This ticket cannot be used to authenticate with the upstream Forefront TMG. When the Kerberos ticket is presented to the upstream Forefront TMG, the upstream Forefront TMG cannot validate the ticket, causing authentication to fail.

Solution: Deploy Kerberos authentication with this limitation in mind, or configure the upstream Forefront TMG server to only use NTLM authentication (accomplished by running the script given in KB927265 (http://go.microsoft.com/fwlink/?LinkId=180368))

Issues with clients authenticating on both downstream and upstream servers in a chained Web proxy scenarioIssue: When a client tries to authenticate with the upstream Forefront TMG server, authentication fails if the client is also required to authenticate with the downstream Forefront TMG server.

Cause: Clients cannot transparently authenticate with both a downstream and an upstream Forefront TMG server. A scenario where both Forefront TMG servers require unique client authentication is not supported.




Solution: Implement one of the following solutions:

If unique client authentication is necessary on the downstream Forefront TMG

server:

Configure the downstream Forefront TMG server Web chaining rule to provide

credentials to the upstream Forefront TMG server, or configure the upstream

Forefront TMG server to allow traffic anonymously (no authentication).

If unique client authentication is necessary on the upstream Forefront TMG

server:

Configure the downstream Forefront TMG server to allow traffic anonymously

(no authentication). To ensure caching is possible on the downstream Forefront

TMG server in this scenario, run the script given in KB915025

(http://go.microsoft.com/fwlink/?LinkId=180367). Note that only integrated

(NTLM) authentication is supported in this scenario (see Kerberos authentication

issues in a chained Web proxy scenario).

Web Proxy SSL connections are only supported for chained proxy connectionsIssue: A Web Proxy client application is not supported with the SSL Web proxy listener.

Cause: This listener is designed for use in Web-chained configuration when Basic delegation is used to prevent credentials sniffing. Web proxy clients may be configured to use and authenticate to this listener, but CERN proxy SSL connections cannot be established through it, because they cannot establish more than one SSL session on a TCP connection.

Solution: No workaround. Forefront TMG can use a client certificate to authenticate against an upstream Forefront TMG computer. In this scenario, you can define an SSL connection between a downstream Forefront TMG computer and an upstream Forefront TMG computer.

Forefront TMG access rules cannot authenticate based on a computer accountIssue: Forefront TMG access rules cannot authenticate based on a computer account; for example, allowing a specific user working from home full access from a corporate laptop, but limited access from a home computer.

Cause: Forefront TMG can only use a computer account for rule authentication under specific circumstances. Forefront TMG evaluates authentication conditions for a rule from the settings on the Users tab of that rule, and identifies the computer originating a request on the From tab. A rule is evaluated and applied if all the rule's conditions are met. Within a particular tab, a rule is applied if any of the conditions are met. For example, if the Users tab indicates that authentication is applied to three groups, a user only needs to belong to one of the groups in order for the rule to be applicable.




On the Users tab, Forefront TMG allows you to specify users, groups, and security principals to be authenticated on a rule. However, if you specify a computer account on the Users tab, only applications running under the Local System or Network Service account on the specified computer will be authenticated, when the specified computer authenticates to a domain controller using Kerberos. This can occur when the Web proxy listener of Forefront TMG is enabled for Windows Integrated authentication, and the client supports Kerberos authentication (for example Windows Update).

You specify a computer account (DomainName\ComputerName$) on the Users tab. With this setting, any service (running under the Local System account or the Network Service account) that runs a Kerberos-enabled client will be authenticated, and access allowed or denied in accordance with the rule settings. If only a domain group that is limited to user accounts is specified on the Users tab, authentication of the client application using the computer account will fail to match the rule. If a rule has both a domain user group and a computer accounts group specified, the rule can be matched for a computer account.

Solution: One workaround to differentiate remote clients by computer might be to use a VPN solution, as follows:

1. Create an access rule from the VPN Quarantine Clients network to the

destination network. The VPN Quarantine Clients network will include the home

computer. Specify a more limited access policy in this rule, and optionally, add a

user account. The VPN Quarantine network must be enabled, and ensure that

the disconnection time is not specified (this is the default setting).

2. Create an access rule from the VPN Clients network to the destination network.

The VPN Clients network will include the corporate laptop. Specify a more

permissive policy on this rule, and add user accounts as required.

For this solution to work, you must include the Quarantine solution on each of the corporate computers.

LDAP authentication in Forefront TMGIssue: LDAP authentication is not supported for access rules.

Cause: In Forefront TMG, LDAP authentication is available only as an authentication method in Web publishing scenarios.


forefront tmg operations

Documents