Practice V2.1 (PDF)

FOREFRONT THREAT
MANAGEMENET GATEWAY
2010
The book of practices.

lalas

1|Page

TABLE OF CONTENTS
Preparing Virtual Computers .................................................................................................................. 2
Module 2. Installing and Maintaining TMG 2010 Server ........................................................................ 3
Module 3. Enabling Access to Internet Resources................................................................................ 13
Module 4. Configuring TMG Server as Firewall .................................................................................... 19
Module 5. Configuring Access to Internal Resources ........................................................................... 25
Module 6. Integrating TMG server and Exchange server ..................................................................... 32
Module 7. Advanced Application and Web filtering. ............................................................................ 41
Module 8. Configuring Virtual Private Network Access for Remote Clients and Networks ................. 51
Module 9. Implementing Caching. ........................................................................................................ 59
Module 10: Monitoring TMG Server..................................................................................................... 65

Page |2

PREPARING VIRTUAL COMPUTERS
1. Start all virtual computers (DEN-DC-01, DEN-TMG-01, DEN-CLT-01, DEN-MSG-01, DEN-WEB01, GEN-WEB-01)
2. Log on to all virtual computers with username cohovineyard\Administrator and password
of Pa$$w0rd, except for GEN-WEB-01 where you should use username Administrator and
password of Pa$$w0rd.
3. Repeat steps 4 - 13 on all virtual computers.
4. Click Virtual Box Devices menu and then click Insert Guest Additions CD Image.
5. On AutoPlay window click Run VBoxWindowsAdditions.exe then click Next.
6. Click Next, then Click Install.
7. Click Finish. Wait while virtual computer restarts.
8. Click Virtual Box Machine menu, then click ACPI Shutdown. Wait while virtual computer
shuts down.
9. On Host computer switch to Oracle VM Virtual Box Manager.
10. Select the virtual computer you’ve just shut down.
11. Click Snapshots button.
12. Click Take snapshot button .
13. Enter the Snapshot name RTM, then click OK.

3|Page

MODULE 2. INSTALLING AND MAINTAINING TMG 2010 SERVER
Practice: Installing TMG Server 2010
Virtual Computers: DEN-DC-01, DEN-TMG-01

Installing TMG Server 2010.
1. Log on to DEN-TMG-01 virtual computer with username cohovineyard\Administrator and
password of Pa$$w0rd.
2. Open Windows Explorer and browse to C:\Microsoft Forefront TMG\autorun.exe.
3. Click Run Preparation Tool.
4. Click Next.
5. Click checkbox next to I accept the terms of the License Agreements.
6. Click Next.
7. Review default selection of Forefront TMG services and Management.
8. Click Next.
9. Click Finish. Forefront TMG Installation Wizard automatically starts.
10. On the Welcome to the Installation wizard for Forefront TMG standard page, click Next.
11. Click I accept the terms in the License Agreement, then click Next.
12. Click Next.
13. Click Next.
14. Click Add.
15. Click Add Adapter.
16. Select Internal, then click OK.
17. Click OK.
18. Click Next.
19. Click Next.
20. Click Install. Installation may take some time.
21. On the Installation Wizard Completed page click Finish.
22. Click Exit in Welcome to Forefront TMG autorun window.
23. Close the Windows Explorer window.
24. Close the Internet Explorer window.

Running post installation configuration.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.

Click Start\All Programs\Microsoft Forefront TMG.
Click Forefront TMG Management.
In the Getting Started Wizard click Configure network settings.
Click Next.
Review the default selection of Edge Firewall, then click Next.
On the Local Area Network (LAN) Settings page, click dropdown list and select Internal.
Review adapter configuration, then click Next.
On the Internet Settings page click dropdown list and select External.
Review adapter default configuration, then click Next.
Click Finish.
Click Configure system settings.
Click Next.
On the Host Identification page, review computer configuration, then click Next.
Click Finish.
Click Define deployment options.
Click Next.

Page |4
17. Click I do not want to use Microsoft Update Service. (On production machine you would do
the opposite), then click Next.
18. Click Yes in Microsoft Update Setup popup window.
19. On the Forefront TMG Protection Features Settings page, click Next.
20. Click No, I don’t want to participate then click Next.
21. Click None. No information is sent to Microsoft, then click Next.
22. Click Finish.
23. Deselect Run the Web Access wizard.
24. Click Close.
25. Click Start.
26. Click Log off.

Practice: Verifying the Installation of Forefront TMG 2010 Server
Virtual Computers: DEN-DC-01, DEN-TMG-01

Verifying successful installation of Forefront TMG 2010 Server.
1. Log on to DEN-TMG-01 virtual computer with username cohovineyard\Administrator and
password of Pa$$w0rd.
2. Click Start\Administrative Tools\Services.
3. Verify that the following services are installed and started:
 Microsoft Forefront TMG Control.
 Microsoft Forefront TMG Firewall.
 Microsoft Forefront TMG Job Scheduler.
 SQL Server (ISARS).
 SQL Server (MSFW).
4. Click Start.
5. Click Log off.

Practice: Configuring SecureNAT and Web Proxy Clients
Virtual Computers: DEN-DC-01, DEN-TMG-01, DEN-CLT-01

Configuring a SecureNAT client
1. Log on to DEN-DC-01 virtual computer with username cohovineyard\Administrator and
password of Pa$$w0rd.
2. Click Start.
3. Click Run.
4. Type cmd and click OK.
5. In the command prompt window type ipconfig. Notice that the Default Gateway parameter
is missing.
6. Click Start\Control Panel.
7. Click Network and Internet.
8. Click Network Sharing Center.
9. Click Change Adapter Settings.
10. Right click Local Area Connection, then select Properties.
11. Click Internet Protocol version 4 (TCP/IPv4), then click Properties.
12. In the Default gateway field type 192.168.1.1.
13. Click OK.
14. Click Close.
15. Click Start.

5|Page
16. Click Log off.

Configuring a Web Proxy client
1. Log on to DEN-CLT-01 virtual computer with username cohovineyard\Administrator and
password of Pa$$w0rd.
2. Click Start\Control Panel.
3. Click Network and Internet.
4. Click Internet Options.
5. Click Connections tab.
6. Click LAN Settings.
7. Click Use a proxy server for your LAN (These settings will not apply to dial-up or VPN
connections).
8. In the Address field type DEN-TMG-01.
9. In the Port field type 8080.
10. Click Bypass proxy server for local addresses.
11. Click OK.
12. Click OK.
13. Click Start\Right arrow\Log off.

Practice: Installing the Firewall Client
Virtual Computers: DEN-DC-01, DEN-TMG-01, DEN-CLT-01

Configuring Firewall Client Settings on Forefront TMG 2010 Server
1. Log on to DEN-TMG-01 virtual computer with username cohovineyard\Administrator and
password of Pa$$w0rd.
2. Click Start\Forefront TMG Management.
3. In the Tree pane (Left part of the window), expand Forefront TMG (DEN-TMG-01) node.
4. Click Networking.
5. In the details pane (Middle part of the window), click Networks tab, then double click
Internal.
6. In the Domains tab click Add.
7. Click Browse, then select cohovineyard.com and click OK.
8. Click OK.
9. Click Forefront TMG Client tab.
10. Review the default configuration. Notice that Enable Forefront TMG Client support for this
network is selected.
11. Click OK.
12. Click Apply.
13. Click Do not show this prompt again, then click Apply.
14. Click OK.

Installing the firewall client
1.
2.
3.
4.
5.
6.
7.

Run Windows Explorer and open folder C:\Microsoft Forefront TMG.
Right click on client folder, then select copy.
Close the Windows Explorer window.
Click Start\Run.
Type \\DEN-DC-01\C$, then click OK.
Paste into the \\DEN-DC-01\C$ folder.
Log Off DEN-TMG-01.

Page |6
8. Log on to DEN-DC-01 virtual computer with username cohovineyard\Administrator and
password of Pa$$w0rd.
9. Run Windows Explorer.
10. Open C:\ folder (drive root).
11. Right click Client folder the select Properties.
12. Click Sharing tab.
13. Click Advanced Sharing.
14. Click Share this Folder.
15. Click OK.
16. Click Close.
17. Log Off DEN-DC-01.
18. Log on to DEN-CLT-01 virtual computer with username cohovineyard\Administrator and
password of Pa$$w0rd.
19. Click Start.
20. In Search programs and files field type \\DEN-DC-01\Client and press Enter.
21. Double click on MS_FWC.msi file.
22. Click Next.
23. Click I accept the terms in the license agreement, then click Next.
24. Click Next.
25. On the Forefront TMG Computer Selection review defaults, then click Next.
26. Click Install.
27. Click Finish.
28. In the notification area of Taskbar (low right portion of the screen), click Up arrow, then
double click the Forefront TMG client icon.
29. Click Settings Tab.
30. Notice no Forefront TMG detected message in active text box. This means that Automatic
detection of Forefront TMG server has failed.
31. Log Off DEN-CLT-01

Practice: Configuring Firewall Client Automatic Discovery
Virtual Computers: DEN-DC-01, DEN-TMG-01, DEN-CLT-01

Preparing Forefront TMG 2010 Server for Automatic Discovery using AD marker.
1. Log on to DEN-TMG-01 virtual computer with username cohovineyard\Administrator and
password of Pa$$w0rd.
2. Open Forefront TMG Management.
3. In the tree pane locate Networking node under Forefront TMG (DEN-TMG-01).
4. In the details pane, under Network tab, double click Internal.
5. Click Auto Discovery tab.
6. Click Publish automatic discovery information for this network, then click OK.
7. Click Apply.
8. Click Apply.
9. Click OK.
10. Run Windows Explorer.
11. Locate Folder C:\Microsoft Forefront TMG\Tools.
12. Double click on ADConfigPack.exe.
13. Click Next.
14. Click I accept the terms in the license agreement, then click Next.
15. Click Next.

7|Page
16.
17.
18.
19.
20.
21.
22.

Click Finish.
Open Command Prompt.
Type cd\ then press Enter key.
Type cd Program Files (x86), then press Enter key.
Type cd Microsoft Forefront TMG Tools, then press Enter key.
Type cd adconfig, then press Enter key.
Type:
TmgAdConfig.exe add -default -type winsock -url http://DEN-TMG-01:8080/wspad.dat

then press Enter key.
23. Notice the message New Winsock default marker successfully registered.
24. Log Off DEN-TMG-01.

Confirming Firewall Client Automatic Discovery
1. Log on to DEN-CLT-01 virtual computer with username cohovineyard\Administrator and
password of Pa$$w0rd
2. In the notification area of Taskbar (low right portion of the screen), click Up arrow, then
double click the Forefront TMG client icon.
3. Click Settings Tab.
4. Notice that Automatically detected Forefront TMG server is DEN-TMG-01.
5. Log Off DEN-CLT-01

Configuring DHCP Server for automatic Discovery (for older Firewall Client Versions)
1. Log on to DEN-DC-01 virtual computer with username cohovineyard\Administrator and
password of Pa$$w0rd.
2. Click Start\Administrative Tools\DHCP.
3. Expand den-dc-01.cohovineyard.com node.
4. Expand IPv4 node.
5. Right click IPv4 the click Set Predefined Options.
6. Click Add.
7. Configure the following Information (case sensitive):
 Name: WPAD
 Data Type: String
 Code:252
8. Click OK.
9. In the Value field type: http://den-tmg-01.cohovineyard.com:80/wpad.dat then click OK.
10. Expand IPv4 node.
11. Expand Scope [192.168.1.0] Head Office node
12. Double click Scope Options node.
13. Right click Scope Options, then select Configure Options.
14. Scroll to the bottom.
15. Select option 252 WPAD, then click OK.
16. Close DHCP console.

Configuring DNS Server for automatic Discovery (for older Firewall Client Versions)
1.
2.
3.
4.

Click Start\Administrative Tools\DNS.
Expand Forward Lookup Zones node.
Expand cohovineyard.com zone.
Notice that required Host (A) record for DEN-TMG-01 is present.

Page |8
5. Right click cohovineyard.com zone, then select New Alias (CNAME), and configure following
(case sensitive):
 Alias: WPAD
 Fully Qualified domain name (FQDN) for target host:
den-tmg-01.cohovineyard.com
6. Click OK.
7. Close DNS console.
8. Log off DEN-DC-01.

Practice Securing the Forefront TMG 2010 Server.
Virtual Computers: DEN-DC-01, DEN-TMG-01, DEN-CLT-01

Configuring Network Settings to Secure Forefront TMG 2010 Server.
1. Log on to DEN-TMG-01 virtual computer with username cohovineyard\Administrator and
password of Pa$$w0rd.
2. Click Start\Run.
3. Type OOBE, then press Enter key.
4. Click Enable Automatic Updating and Feedback.
5. Click Manually Configure Settings.
6. Under Windows Automatic Updating click Change Setting…
7. In Important Updates drop down menu select Download Updates but let me choose
whether to Install them.
8. Uncheck Allow all users to install updates on this computer the click OK.
9. Click Close.
10. Normally now you would run Download and Install Updates but we shall skip this step
because Microsoft Update is inaccessible from this virtual machine.
11. Click Configure Networking.
12. Right click on External network adapter, the select Properties.
13. Click Internet Protocol version 4 (TCP/IPv4), then click Properties.
14. Click Advanced.
15. Click DNS tab.
16. Clear Register this connection’s address in DNS.
17. Click WINS tab.
18. Clear Enable LMHOSTS lookup.
19. Click Disable NetBIOS over TCP/IP.
20. Click OK two times.
21. Clear Client for Microsoft Networks.
22. Clear File and Printer Sharing for Microsoft Networks.
23. Clear Link-Layer Topology Discovery Mapper I/O Driver.
24. Clear Link-Layer Topology Discovery Responder.
25. Click Close.
26. Log Off DEN-TMG-01.

Delegating Administrative Rights
1. Log on to DEN-DC-01 virtual computer with username cohovineyard\Administrator and
password of Pa$$w0rd.
2. Click Start\Administrative Tools\Active Directory Users and Computers.
3. Right click on Users container, the select New\User.
4. Enter following: