1. Module 5: Forefront TMG Design and Deployment
Considerations
© 2009, Microsoft. All rights reserved. All other trademarks are the property of their respective owners.

2. Module Overview
Logical design considerations
Scalability and availability
Client configuration
Migration options

3. Lesson 1 – Logical Design Considerations

4. Design Options
Single purpose and location, no high availability
Forefront TMG 2010 Standard Edition
Single purpose and location, high availability
Forefront TMG 2010 Enterprise Edition in stand-alone array
Multiple purposes and/or locations, high availability
Enterprise Management Server

5. Single Purpose and Location
Forefront TMG 2010 Standard Edition (SE)
Light and medium traffic
All-in-one solution
No high availability
requirements
Internet
Forefront TMG
Standard Edition
5

6. Single Purpose and Location
Forefront TMG 2010 Enterprise Edition (EE):
Stand-alone array
Shared configuration
High traffic solution
Simple upgrade to EE
Data maintained Internet
EE license key
Stand-alone
Provides high availability Array
and scale out
6

7. Forefront TMG Arrays
Shared configuration of EE servers
Allows scale out and high availability
Seen as single entity by clients
Network connections load balanced across the array
Administered as single entity
Configuration settings share across array members
Stand-alone array
No dedicated management server
One server designated as the array manager
Consoles redirect to array manager
7

8. Joining Stand-alone Array
8

9. Enterprise Management Server (EMS)
Dedicated, replicated configuration store
Single point of administration
Uses Windows Server® 2008 Active Directory®
Lightweight Directory Services (AD LDS) to host
configuration store
Same replication mechanism as Active Directory (AD)
Requires Active Directory authentication to replicate
9

10. Using EMS-managed Arrays
Arrays can enforce Enterprise policy configured in EMS
Optionally allow local array policy
Define primary and secondary EMS servers for high
availability
Array members query EMS using LDAP
Domain-joined array members authenticate via AD (Kerberos)
Workgroup servers or in untrusted domains authenticate using
TLS (certificates)
10

11. Deploying an EMS
Select EMS to be installed on the server
Configure to create a new enterprise or be a replica of an existing one
Select the authentication method
11

12. Creating an Array on EMS
An EMS can store policies for several different arrays, as well as a
default enterprise policy
12

13. Joining EMS-managed Array
Servers select which primary and secondary EMS to use
and which array to join
13

14. Managing Forefront TMG SE from EMS Array
EMS can be used to manage policies for Forefront TMG
2010 Standard Edition (SE) servers
14

15. Forefront TMG Enterprise Deployment Design
Single, replicated AD LDS database
Hosted on two or more EMS replicas
Contains one or more arrays of Forefront TMG EE servers
Optionally managing Forefront TMG SE servers
Recommended one EMS database per organization
15

16. Sample Enterprise TMG Deployment
Standalone Array
DMZ (Publishing) Site-to-Site VPN
EMS Array TMG SE
(Web Access) Branch Office
(Internet link only)
Internet
TMG Management EMS EMS Array
Corp HQ (VPN) EMS Array
Replicated
Configuration
WAN Branch Office
(WAN & Internet link)
EMS
EMS Array
(Web Access)
TMG Management
TMG SE
Branch Office
Regional HQ (WAN link only)
16

17. EMS Design Considerations
If EMS fails, you cannot monitor array or manage its
configuration
Always define at least one EMS replica
EMS cannot be hosted on array members
Sample design for EMS high availability:
Deploy two EMS servers (one primary, one replica) in one
physical site
Deploy one EMS server (replica) in other physical sites
Use a maximum of 40 arrays or servers per EMS
17

18. Console Design Considerations
x86 and x64 Management Console
Requires Windows Server® 2008 or Windows Vista®
Deployed on administrative workstations
Require LAN-speed and latency to EMS and array
members
Otherwise the best option is to use Remote Desktop
18

19. DNS Considerations
Windows can only use one primary DNS server
Which to use?
ISP DNS servers?
Corporate DNS servers?
Solutions:
Use Corporate DNS servers and forwarders
Host DNS service locally
Use conditional forwarding for internal DNS zones
Forward all other queries to to ISP DNS servers
19

20. Domain vs. Workgroup
Workgroup scenarios
Unauthenticated inbound and outbound traffic
For example, Secure Mail Relay
Web site publishing using LDAP, RADIUS, or SecurID tokens
VPN with RADIUS authentication
Outbound Web Access using RADIUS
Deployment considerations
Require certificates on all EMS and array members
20

21. Web Proxy Chaining
Main scenario
Site with no Internet link
Default rule is to retrieve directly
Chain all Web requests, or just requests to specific
destinations
Also used for site redirection
21

22. Web Proxy Chaining
22

23. Sample Web Proxy Chaining Design
TMG Array
TMG SE
Small Branch Office
Regional HQ (Link to Regional HQ)
ISP
1
Internet
WAN Internet
TMG Array
ISP TMG Array
2
Branch Office
Disaster (WAN and
Recovery site Internet link)
ISP Link
Chaining
Client Traffic TMG Array TMG SE
Branch Office
Head Quarters (WAN link only)
23

24. Lesson 2 – Scalability and Availability

25. Scalability and Availability
Service scale out and high availability options
Network load balancing
Cache Array Routing Protocol (CARP)
Connectivity high availability through Internet service
provider (ISP) redundancy

26. Network Load Balancing (NLB)
Provides high availability at host level
When the host is off its traffic is redirected to other members of
the NLB cluster
Allows scale out
Uses client IP instead of cookie for session affinity
Works with any IP device
Built in Windows feature, integrated with Forefront TMG
Single affinity
Use for
Web proxy (outbound)
Web and server publishing (inbound)
Remote access through VPN
26

27. Network Load Balancing
Host 3 Host 2 Host 1
NLB
Cluster
The networkis sent
One server accepts
A response floods
client initiates a L2 or L3
the incomingclient
request torequest
the client anclient
back to the NLB Switch
request
cluster
Internet
NLB hosts share the same Client(s)
MAC address and Virtual IP

28. NLB Modes
Unicast
MAC address overwritten with shared MAC
Prevents node-node communication
Not supported on Microsoft Hyper-V™
Switch flooding issues
Multicast
Adds multicast MAC address
May require ARP table entry at router/L3 switch
IGMP Multicast
Only sends to ports in IGMP group
Not RFC-compliant

29. Enabling NLB Integration
29

30. Maintaining NLB Settings
30

31. Web Content Caching
Forward proxy caching
Cache objects requested by internal web proxy clients
Reverse proxy caching
Cache static content from published web sites
Reduces load on Web servers
Cache rules based on destination only
Networks, IP ranges, DNS domains, URLs
Security Support

32. Enabling Caching
Define cache drives on array members
32

33. Enabling Caching
Define cache settings
33

34. Cache Array Routing Protocol (CARP)
Distributed caching algorithm
Returns the IP address or host name of the caching server most
likely to have a cached copy of the content
Per fully qualified domain name (FQDN), not per page
Allows the implementation of a single, logical cache
(scales linearly)
Implemented using script that runs client-side or
server-side
Server-side – Allows members of the Forefront TMG array to fetch
content in other array members
Client-side – Allows Web proxy clients to fetch the content directly
from the appropriate array member
34

35. Server-side CARP Internet
1. Client requests URL
2. NLB hash: Host 3 Host 2 Host 1
Hash(Client IP) = Host 3
3. Host 3 gets CARP hash:
Hash(URL) = Host 2
4. Forwards request to Host 2 NLB
Cluster
5. Host 2 gets CARP hash: with CARP
Hash(URL) = Host 2 enabled
6. Checks cache/fetches
object
7. Caches object/returns to
Host 3 Client /
8. Host 3 returns to client Downstream
Proxy

36. Client-side CARP Internet
1. Client gets WPAD.dat or Host 3 Host 2 Host 1
auto configuration script
2. Client gets CARP hash:
Hash(URL) = Host 2
NLB
3. Forwards request to Host 2 Cluster
with CARP
4. Host 2 gets CARP hash: enabled
Hash(URL) = Host 2
5. Checks cache/fetches
object
6. Caches object/returns to
Client /
client Downstream
Proxy

37. Enabling CARP
Server-side:
Enable per network
CARP exceptions per network
Load factor
Client-side:
Use configuration script
provided by the array
Provided by WPAD or by
the Use automatic
configuration script option
37

38. CARP and Kerberos
38

39. CARP, NLB, and High Availability
Client-side CARP is not a high availability solution
Browser restart on node failure
If you need high availability:
Enable CARP on server
Configure clients to use NLB address
(disables client-side CARP)
If you want cache efficiency and performance:
Enable CARP on server
Configure clients to use client-side CARP
Use WPAD or automatic configuration script
39

40. Internet Service Provider (ISP) Redundancy
Enables utilizing two ISPs for external connectivity
Two modes of operation
Failover – Primary and backup ISP
Load balancing and failover – Connections distributed between
two active ISPs
Percentage of connections routed through each ISP
Network rules can be use to route subnets through a specific link
40

41. Lesson 3 – Client Configuration

42. Client Types
Web proxy client
CERN-compatible browsers/applications
SecureNAT client
Any host supporting IP
Forefront TMG client
Formerly ISA firewall client
Windows computers
42

43. Client Comparison
SecureNAT Forefront Web Proxy
Feature Client TMG Client Client
Installation IP Routing Yes Web browser
required configuration configuration
OS Support Any OS supporting Windows only Any proxy-aware
TCP/IP Web application
Protocol support Requires All Winsock HTTP, HTTPS, and
application filters applications FTP download
for multiple-
connection
protocols
User-level No Yes Yes
authentication

44. Web Proxy Client Configuration
Generate configuration
Discover configuration
Automatic configuration script
Web Proxy Auto Discovery (WPAD)
Static proxy configuration
Enforce configuration
Manual
Group policy
Forefront TMG client
44

45. Generate Web Proxy Client Configuration
45

46. Discover Web Proxy Configuration
Automatic Configuration Script
Script maintained by array
http://<FQDN>/array.dll?Get.Routing.Script
Configures:
Web proxy address and port
Site and domain bypass
Alternate proxy
CARP membership
Configure via site group
policy object (GPO) for
roaming clients
46

47. Discover Web Proxy Configuration
Web Proxy Automatic Discovery (WPAD)
Allows Web clients to autodiscover the Web proxy using
DNS or DHCP
DNS client queries for host wpad in each DNS suffix
Not location aware
DHCP client queries lease
for option 252
http://<FQDN>:80/wpad.dat
Location aware
Takes precedence over
Automatic Configuration
Script
Can be enabled via GPO
47

48. Discovery Web Proxy Configuration
Static Proxy Configuration
Configurable via GPO
Best option with NLB or other load balancing solutions
Supported by all platforms
Limitations:
Disables client-side CARP
If NLB is used, clients use
NTLM authentication
Cannot define alternate proxy
48

49. Enforce Configuration
Manual browser configuration
Can be scripted
Active Directory GPO
Restricted to domain members
Defined per domain, site or
organizational unit (OU)
Forefront TMG Client
Client configures browser settings

50. SecureNAT clients
Only requires proper routing
Clients perform DNS resolution
Limitations:
No user information passed
No support for secondary connections
(without application filter)
Use for:
Non-Web protocols
Simple, unauthenticated protocols
Non-Windows systems

51. Enhanced NAT
Specify IP used for NAT from source to destination
network
Solves issues with SMTP Sender Policy Framework and other
IP-based authorization policies
Web proxy and NAT-based access rules only
Overrides ISP redundancy load balancing mode
51

52. Forefront TMG Client
Formerly known as ISA Firewall client
Supports all WinSock-based applications
FwcWsp.dll registered with WinSock protocol stack
FwcWsp tracks all WinSock calls
All remote TCP calls sent to FWC listener (TCP 1745)
User information passed on all requests
Use for:
User-based access authentication to non-Web protocols
Complex protocols with secondary connections
52

53. Forefront TMG Client Discovery
Secure discovery using
Active Directory, with
fallback to DHCP and DNS
Secure discovery uses AD to
store discovery information
for domain members
Forefront TMG client and
Web proxy discovery
Allows global and site-
specific markers
Configured using
TmgAdConfig.exe
TmgAdConfig add –site <Site> -type <winsock|webproxy> -url <URL>
53

54. Server-side Configuration
Domains and Addresses
tabs determine routing
54

55. Client-side Configuration Settings
Clients settings stored
in the following files:
Management.ini
Common.ini
Application.ini
Client settings
defined in the
console are delivered
to the client during
restart, and then
every six hours
Manual refresh also
possible
55

56. Client-side Configuration
Users can use the client to
configure HTTPS Inspection
notifications and Automatic
Detection options
56

57. Lesson 4 – Migration Options

58. Migration from ISA Server to Forefront TMG
ISA Server SE Forefront TMG SE
Forefront TMG EE
standalone server
ISA Server EE Forefront TMG EMS
ISA Server 2004/2006 settings can be exported to a file and
then imported on Forefront TMG SE or EE
Export confidential information option must be set
ISA Server EE can be migrated to Forefront TMG EMS
No in place upgrade option
ISA Server x86 only, Forefront TMG x64 only

59. Upgrading from Forefront TMG SE to EE
Simply select the Upgrade to Enterprise Edition option
on the System Properties
Enter the Forefront TMG 2010 Enterprise Edition product key
No need to rerun setup

60. Questions

61. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Forefront, Windows and other product names are or may be registered trademarks and/or
trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because
Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee
the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.