Microsoft Forefront Threat Management Gateway 2010 builds on the powerful. And can be operated as a virtual machine to cut costs and enhance recoverability. A key part of Forefront TMG's IPS architecture is the Network Inspection. Previous-generation ASA 5500-X security appliances and include centralized control.

tmg forefront microsoft, 3703 records found, first 100 of them are:

This chapter describes how to configure communication between Access Manager and Microsoft Forefront Threat Management Gateway (TMG) 2010. The following sections are provided:

43.1 What is New in This Release?

Support for integration between Access Manager and Microsoft Forefront Threat Management Gateway (TMG) 2010.

Details in this chapter presume that you are familiar with Access Manager policies and operation.

43.2 Introduction to Integration with TMG Server 2010

This section provides an overview of the tasks that, once performed, enable this integration. Topics included are:

43.2.1 About This Integration

Microsoft Forefront Threat Management Gateway (TMG) 2010 is the next generation of the Internet Security and Acceleration (ISA) Server 2006.

This chapter provides steps to configure an open (non-secured) connection between the Forefront TMG Web server and Access Manager. This communication is based on using a 10g Webgate for ISAPI. For details about using a secured connection, see your Forefront TMG Server documentation.

You can have IIS Web server and Forefront TMG installed on same or on different computer. In examples in ths chapter, both reside on same host.

The following overview outlines the tasks that you must perform and the topics where you will find the steps to set up the ISAPI Webgate with the TMG Server within this chapter.

Task overview: Installing and configuring the ISAPI Webgate on TMG Server

1. Getting the latest certification matrix as described in 'About Confirming Certification Requirements'.

2. 'Creating a Forefront TMG Policy and Rules'

43.2.2 About Confirming Certification Requirements

Any references to specific versions and platforms in this chapter are for demonstration purposes. For the latest certification information, see Oracle Technology Network at:

43.3 Creating a Forefront TMG Policy and Rules

After you install Forefront TMG 2010, other computers cannot ping the computer hosting Forefront because the default firewall policy denies all the traffic from and to the host.

This section provides the information you need for:

43.3.1 Creating a Custom Policy for Forefront TMG

You can create a custom Forefront firewall policy.

Prerequisites:

Install Forefront TMG 2010 using documentation from your vendor.

To create a custom policy to over ride the default firewall policy

1. Open the Forefront TMG console: Start, Programs, Microsoft Forefront TMG, Forefront TMG Management.
2. From the left pane, click Firewall Policy.
3. From the right pane, click Create Access Rule to create a custom policy,
4. Create a rule with the following attributes and values assigned:

   • Name: Name for custom policy

   • Action =Allow

   • Protocol =All Outbound

   • Malware Inspection = Don not enable Malware Inspection for this rule

   • From =External,Internal,Local Host

   • To= External,Internal,Local Host

   • Condition =All Users

5. Click Next to create the Access Rule, then click Apply.
6. Restart Forefront TMG to have changes take affect:

   • Stop Firewall Service use the command net stop fwsrv

   • Start Firewall Service use the command net start fwsrv

7. Proceed to 'Creating a Forefront TMG Firewall Policy Rule'

43.3.2 Creating a Forefront TMG Firewall Policy Rule

To protect the resource, you must create a firewall policy rule using the Forefront TMG console.

When you create a listener for Authentication Preferences, be sure to check Allow client authentication over HTTP and Require All users to authenticate. Otherwise, you will not be able to access the published Web site using the TMG proxy.

Authentication Delegation is used by the TMG server to authenticate to the published Web server.

Note:

You can have IIS and Forefront TMG installed on the same (or a different) computer. Here, both reside on same host.

To create a custom policy to override the default firewall policy

1. Open the Forefront TMG console: Start, Programs, Microsoft Forefront TMG, Forefront TMG Management.
2. From the left pane, click Firewall Policy.
3. From the Tasks tab, click Publish Web Sites.
4. In the Web publishing rule name field, type a descriptive name for the rule, and then click Next.
5. On the Select Rule Action page, confirm that the Allow option is selected, and then click Next.
6. In the Publishing type, confirm that the Publish a single Web site or load balancer option is selected, and then click Next.

   Step 7 describes configuration with an open (non-secured) connection with the Web server. If you are using a secured connection, see your Forefront TMG Server documentation.

7. On the Server Connection Security page, click Use non-secured connections to connect the published Web server or server farm, and then click Next.
8. Perform the following steps to set internal publishing details:

   • In the Internal site name field, type the internally-accessible name of the IIS/apache Web server host: iis_host.us.example.com, for example.

   • Check the box beside Use a computer name or IP address to connect to the published serve (or enter the IP address of the IIS Web server host).

   • Click Next.

9. Protecting Resources: Perform following steps to protect resources within a particular folder in the Web site (or a single resource):

   Note:

   The folder must reside within htdocs/wwwroot of the corresponding Web server.

   • Folder Containing Resources: In the Path field, type the folder name to display the full path of the published Web site in the Web site field (Res/* for example).

   • Single Resource: Type the resource name (test.html for example).

   • Click Next.

10. In the Accept requests for list:

    • Click your domain name (for example: myhost.example.com).

    • In the Public name field, type the publicly-accessible fully-qualified Web site domain name of the host where Forefront TMG will be installed (for example: myhost.example.com).

    • Click Next.

11. In the Web listener list, either click the Web listener to use for this Web publishing rule, or create a new Web listener as follows:

    Note:

    Listener can also be configured in SSL mode if required; see your Forefront TMG documentation.

    • Click New, type a descriptive name for the new Web listener, and then click Next.

    • Click Do not require SSL secured connections with clients, and then click Next.

    • In the Listen for requests from these networks list, click the required networks (External, Internal, and Localhost) then click Next.

    • Click No on the message that appears.

    • In the Select how clients will provide credentials to Forefront TMG Server list, click No Authentication, and then click Next.

    • On the Single Sign On Settings page, click Next, and then click Finish.

12. On the Select Web Listener page:

    • Click Edit.

    • Click connections tab.

    • Provide any unused port for Enable HTTP connections on port attribute (This will act as Forefront TMG port.)

    • Click Apply; click Ok.

    • Click Next.

    • On the Single Sign On Settings page, click Next, and then click Finish.

13. Authentication Delegation: Perform the following steps to choose the method used by Forefront TMG to authenticate to the published Web server list.

    • Click No Delegation, and Client Cannot Authenticate Directly.

    • Click Next.

14. On the User Sets page:

    • Choose All (the default user setting - All Users) to set the rule that applies to requests from the user sets field.

    • Click Next, and then click Finish.

15. Click Apply to update the firewall policy, and then click OK.
16. Double-click the recently created Firewall Policy.
17. Bridging:

    • Open the Bridging tab.

    • Provide suitable unused port for Redirect request to HTTP port attribute (which will act as the IIS or Apache Web server port).

18. Click Apply to update the firewall policy, and then click OK.
19. IIS or Apache Web server.
20. Restart Forefront TMG to have changes take affect:

    • Stop Firewall Service use the command net stop fwsrv

    • Start Firewall Service use the command net start fwsrv

      

21. Double-click the rule just created:

    • Open the Link Translation tab.

    • Confirm that Apply Link Translation to this rule is checked.

    • Click the Mapping button to see the mapping created between Forefront TMG and IIS or Apache

22. Proceed to 'Verifying Forefront TMG Proxy Configuration'

43.3.3 Verifying Forefront TMG Proxy Configuration

You can validate the Forefront TMG proxy configuration, you can simply access the protected resource using the TMG port.

1. Protected Single Resource: Enter the URL to the TMG host and port where the protected resource resides. For example:
2. Protected Folder: Enter the URL to the TMG host and port where the folder containing the resource resides. For example:
3. Confirm there are no issues accessing the protected resource.

43.4 Installing and Configuring 11g Webgate for Forefront TMG Server

You can set up the 11g Webgate and register plug-ins as Web filters.

Task overview: Configuring Webgate and Filters for TMG Server includes

43.4.1 Installing 11g Webgate with TMG Server

When you install Webgate with the Forefront TMG Server, the destination for the ISAPI Webgate installation (also known as the Webgate_install_dir) should be same as that of the Microsoft Forefront TMG.

For example, if Forefront TMG is installed in C:Program FilesMicrosoft Forefront Threat Management Gateway, the ISAPI Webgate should also be installed there.

Task overview: Installing the ISAPI Webgate for Forefront TMG Server

1. Register a 11g ISAPI Webgate with Access Manager.

   Note:

   During Webgate installation, select the TMG option.

2. Install the ISAPI Webgate for TMG.
3. Proceed to the 'Changing webgate Directory Permissions' section.

43.4.2 Changing webgate Directory Permissions

After finishing ISAPI Webgate installation and configuration for the Forefront TMG Server, you must change permissions to the webgate subdirectory.

This subdirectory was created in the Forefront TMG Server (also Webgate) installation directory. You must add the user NETWORK SERVICE and grant full control to SYSTEM ADMINISTRATOR. This enables the Forefront TMG Server to establish a connection between the Webgate and Access Server. Certain configuration files should be readable by system administrators, which is why you grant SYSTEM ADMINISTRATOR full control.

Note:

Webgate in Simple Mode: add user NETWORK SERVICE and give Full Control for the password.xml file in TMG_install_dir<TMG_WG_INSTANCE_DIR>/webgate/config/password.xml.

To change permissions for webgate install and instance subdirectory:

1. cacls <WG Instance Dir>webgate /E/T/G NETWORK:f
2. cacls <WG Instance Dir>webgate /E/T/G “NETWORK SERVICE”:f
3. cacls <WG Install Dir>webgate /E/T/G NETWORK:f
4. cacls <WG Install Dir>webgate /E/T/G “NETWORK SERVICE”:f
5. Proceed to the 'Configuring the TMG 2010 Server for the ISAPI 11g Webgate' section.

43.5 Configuring the TMG 2010 Server for the ISAPI 11g Webgate

You can configure the TMG Server to operate with the 11g ISAPI Webgate for Access Manager.

Task overview: Configuring the TMG 2010 Server for the ISAPI 11g Webgate

1. Verifying Form-based Authentication.

43.5.1 Registering Access Manager Plug-ins as TMG Server Web Filters

After resetting ISAPI Webgate permissions, you need to register Access Manager webgate.dll and postgate.dll plug-ins as Web Filters within Forefront TMG Server.

Web filters screen all HTTP traffic that passes through the TMG Server host. Only compliant requests are allowed to pass through. The following procedure describes how to register Access Manager plug-ins in the TMG Server.

Note:

To undo the filter registration, you can use the following procedure with the /u option in the regsvr32 command. For example: <TMG_WG_INSTALL_DIR>webgateiislibwebgate.dll

To register Access Manager plug-ins as TMG Server Web filters

1. Locate the TMG Server installation directory, from which you will perform the following tasks.
2. Run net stop fwsrv to stop the TMG Server.
3. Register the webgate.dll as an ISAPI Web filter by running:
   regsvr32 <TMG_WG_INSTALL_DIR>webgateiislibwebgate.dll
4. Restart the TMG Server by running net start fwsrv.

43.5.2 Verifying Form-based Authentication

You need to ensure that the published Web site is accessible using the TMG proxy and verify that form-based authentication is working.

TMG supports both Basic over LDAP and Form-based or Basic authentication. You can choose the desired authentication scheme. TMG need access to login.html, which you configure as described here.

To verify that form-based authentication is working

1. Store the login page at the docroot of the Web server protecting the resource so that the TMG server can access the login page.
2. Ensure that the published Web site is accessible to the TMG proxy.
3. Open the Forefront TMG console: Start, Programs, Microsoft Forefront TMG, Forefront TMG Management.
4. From the left pane, select the Firewall Policy.
5. On the right, under the Firewall Policy Rule, select the rule that was created to protect the resource.
6. Go to the policy rule properties, select the Path tab, then add the /login.html and click OK.
7. Click Apply to save changes and update the configuration.
8. Restart Forefront TMG to have changes take affect:

   • Stop Firewall Service use the command net stop fwsrv

   • Start Firewall Service use the command net start fwsrv

43.6 Starting, Stopping, and Restarting the TMG Server

When instructed to restart your TMG Server during Access Manager Web component installation or setup, be sure to follow any instructions that appear on the screen.

Also, the net commands help to ensure that the Metabase does not become corrupted following an installation. Consider the following commands, which provide good ways to stop and start the TMG Server:

• net stop fwsrv

• net start fwsrv

For more information, see your TMG Server documentation.

43.7 Removing Access Manager Filters Before WebGate Uninstall on TMG Server

If you plan to uninstall the Webgate that is configured to operate with the TMG Server, you must first unregister the Access Manager filters manually, and then uninstall Webgate.

1. Stop the TMG Server.
2. Run the following command to unregister webgate.dll. For example:

43.8 Troubleshooting

The error 'Failed Connection Attempt' in TMG logs on accessing any Access Manager protected resource does not affect functionality and can be ignored.