4. Design Options
Single purpose and location, no high availability
Forefront TMG 2010 Standard Edition
Single purpose and location, high availability
Forefront TMG 2010 Enterprise Edition in stand-alone array
Multiple purposes and/or locations, high availability
Enterprise Management Server
5. Single Purpose and Location
Forefront TMG 2010 Standard Edition (SE)
Light and medium traffic
All-in-one solution
No high availability
requirements
Internet
Forefront TMG
Standard Edition
5
6. Single Purpose and Location
Forefront TMG 2010 Enterprise Edition (EE):
Stand-alone array
Shared configuration
High traffic solution
Simple upgrade to EE
Data maintained Internet
EE license key
Stand-alone
Provides high availability Array
and scale out
6
7. Forefront TMG Arrays
Shared configuration of EE servers
Allows scale out and high availability
Seen as single entity by clients
Network connections load balanced across the array
Administered as single entity
Configuration settings share across array members
Stand-alone array
No dedicated management server
One server designated as the array manager
Consoles redirect to array manager
7
9. Enterprise Management Server (EMS)
Dedicated, replicated configuration store
Single point of administration
Uses Windows Server® 2008 Active Directory®
Lightweight Directory Services (AD LDS) to host
configuration store
Same replication mechanism as Active Directory (AD)
Requires Active Directory authentication to replicate
9
10. Using EMS-managed Arrays
Arrays can enforce Enterprise policy configured in EMS
Optionally allow local array policy
Define primary and secondary EMS servers for high
availability
Array members query EMS using LDAP
Domain-joined array members authenticate via AD (Kerberos)
Workgroup servers or in untrusted domains authenticate using
TLS (certificates)
10
11. Deploying an EMS
Select EMS to be installed on the server
Configure to create a new enterprise or be a replica of an existing one
Select the authentication method
11
12. Creating an Array on EMS
An EMS can store policies for several different arrays, as well as a
default enterprise policy
12
13. Joining EMS-managed Array
Servers select which primary and secondary EMS to use
and which array to join
13
14. Managing Forefront TMG SE from EMS Array
EMS can be used to manage policies for Forefront TMG
2010 Standard Edition (SE) servers
14
15. Forefront TMG Enterprise Deployment Design
Single, replicated AD LDS database
Hosted on two or more EMS replicas
Contains one or more arrays of Forefront TMG EE servers
Optionally managing Forefront TMG SE servers
Recommended one EMS database per organization
15
16. Sample Enterprise TMG Deployment
Standalone Array
DMZ (Publishing) Site-to-Site VPN
EMS Array TMG SE
(Web Access) Branch Office
(Internet link only)
Internet
TMG Management EMS EMS Array
Corp HQ (VPN) EMS Array
Replicated
Configuration
WAN Branch Office
(WAN & Internet link)
EMS
EMS Array
(Web Access)
TMG Management
TMG SE
Branch Office
Regional HQ (WAN link only)
16
17. EMS Design Considerations
If EMS fails, you cannot monitor array or manage its
configuration
Always define at least one EMS replica
EMS cannot be hosted on array members
Sample design for EMS high availability:
Deploy two EMS servers (one primary, one replica) in one
physical site
Deploy one EMS server (replica) in other physical sites
Use a maximum of 40 arrays or servers per EMS
17
18. Console Design Considerations
x86 and x64 Management Console
Requires Windows Server® 2008 or Windows Vista®
Deployed on administrative workstations
Require LAN-speed and latency to EMS and array
members
Otherwise the best option is to use Remote Desktop
18
19. DNS Considerations
Windows can only use one primary DNS server
Which to use?
ISP DNS servers?
Corporate DNS servers?
Solutions:
Use Corporate DNS servers and forwarders
Host DNS service locally
Use conditional forwarding for internal DNS zones
Forward all other queries to to ISP DNS servers
19
20. Domain vs. Workgroup
Workgroup scenarios
Unauthenticated inbound and outbound traffic
For example, Secure Mail Relay
Web site publishing using LDAP, RADIUS, or SecurID tokens
VPN with RADIUS authentication
Outbound Web Access using RADIUS
Deployment considerations
Require certificates on all EMS and array members
20
21. Web Proxy Chaining
Main scenario
Site with no Internet link
Default rule is to retrieve directly
Chain all Web requests, or just requests to specific
destinations
Also used for site redirection
21
23. Sample Web Proxy Chaining Design
TMG Array
TMG SE
Small Branch Office
Regional HQ (Link to Regional HQ)
ISP
1
Internet
WAN Internet
TMG Array
ISP TMG Array
2
Branch Office
Disaster (WAN and
Recovery site Internet link)
ISP Link
Chaining
Client Traffic TMG Array TMG SE
Branch Office
Head Quarters (WAN link only)
23
25. Scalability and Availability
Service scale out and high availability options
Network load balancing
Cache Array Routing Protocol (CARP)
Connectivity high availability through Internet service
provider (ISP) redundancy
26. Network Load Balancing (NLB)
Provides high availability at host level
When the host is off its traffic is redirected to other members of
the NLB cluster
Allows scale out
Uses client IP instead of cookie for session affinity
Works with any IP device
Built in Windows feature, integrated with Forefront TMG
Single affinity
Use for
Web proxy (outbound)
Web and server publishing (inbound)
Remote access through VPN
26
27. Network Load Balancing
Host 3 Host 2 Host 1
NLB
Cluster
The networkis sent
One server accepts
A response floods
client initiates a L2 or L3
the incomingclient
request torequest
the client anclient
back to the NLB Switch
request
cluster
Internet
NLB hosts share the same Client(s)
MAC address and Virtual IP
28. NLB Modes
Unicast
MAC address overwritten with shared MAC
Prevents node-node communication
Not supported on Microsoft Hyper-V™
Switch flooding issues
Multicast
Adds multicast MAC address
May require ARP table entry at router/L3 switch
IGMP Multicast
Only sends to ports in IGMP group
Not RFC-compliant
31. Web Content Caching
Forward proxy caching
Cache objects requested by internal web proxy clients
Reverse proxy caching
Cache static content from published web sites
Reduces load on Web servers
Cache rules based on destination only
Networks, IP ranges, DNS domains, URLs
Security Support
34. Cache Array Routing Protocol (CARP)
Distributed caching algorithm
Returns the IP address or host name of the caching server most
likely to have a cached copy of the content
Per fully qualified domain name (FQDN), not per page
Allows the implementation of a single, logical cache
(scales linearly)
Implemented using script that runs client-side or
server-side
Server-side – Allows members of the Forefront TMG array to fetch
content in other array members
Client-side – Allows Web proxy clients to fetch the content directly
from the appropriate array member
34
37. Enabling CARP
Server-side:
Enable per network
CARP exceptions per network
Load factor
Client-side:
Use configuration script
provided by the array
Provided by WPAD or by
the Use automatic
configuration script option
37
39. CARP, NLB, and High Availability
Client-side CARP is not a high availability solution
Browser restart on node failure
If you need high availability:
Enable CARP on server
Configure clients to use NLB address
(disables client-side CARP)
If you want cache efficiency and performance:
Enable CARP on server
Configure clients to use client-side CARP
Use WPAD or automatic configuration script
39
40. Internet Service Provider (ISP) Redundancy
Enables utilizing two ISPs for external connectivity
Two modes of operation
Failover – Primary and backup ISP
Load balancing and failover – Connections distributed between
two active ISPs
Percentage of connections routed through each ISP
Network rules can be use to route subnets through a specific link
40
42. Client Types
Web proxy client
CERN-compatible browsers/applications
SecureNAT client
Any host supporting IP
Forefront TMG client
Formerly ISA firewall client
Windows computers
42
43. Client Comparison
SecureNAT Forefront Web Proxy
Feature Client TMG Client Client
Installation IP Routing Yes Web browser
required configuration configuration
OS Support Any OS supporting Windows only Any proxy-aware
TCP/IP Web application
Protocol support Requires All Winsock HTTP, HTTPS, and
application filters applications FTP download
for multiple-
connection
protocols
User-level No Yes Yes
authentication
44. Web Proxy Client Configuration
Generate configuration
Discover configuration
Automatic configuration script
Web Proxy Auto Discovery (WPAD)
Static proxy configuration
Enforce configuration
Manual
Group policy
Forefront TMG client
44
46. Discover Web Proxy Configuration
Automatic Configuration Script
Script maintained by array
http://<FQDN>/array.dll?Get.Routing.Script
Configures:
Web proxy address and port
Site and domain bypass
Alternate proxy
CARP membership
Configure via site group
policy object (GPO) for
roaming clients
46
47. Discover Web Proxy Configuration
Web Proxy Automatic Discovery (WPAD)
Allows Web clients to autodiscover the Web proxy using
DNS or DHCP
DNS client queries for host wpad in each DNS suffix
Not location aware
DHCP client queries lease
for option 252
http://<FQDN>:80/wpad.dat
Location aware
Takes precedence over
Automatic Configuration
Script
Can be enabled via GPO
47
48. Discovery Web Proxy Configuration
Static Proxy Configuration
Configurable via GPO
Best option with NLB or other load balancing solutions
Supported by all platforms
Limitations:
Disables client-side CARP
If NLB is used, clients use
NTLM authentication
Cannot define alternate proxy
48
49. Enforce Configuration
Manual browser configuration
Can be scripted
Active Directory GPO
Restricted to domain members
Defined per domain, site or
organizational unit (OU)
Forefront TMG Client
Client configures browser settings
50. SecureNAT clients
Only requires proper routing
Clients perform DNS resolution
Limitations:
No user information passed
No support for secondary connections
(without application filter)
Use for:
Non-Web protocols
Simple, unauthenticated protocols
Non-Windows systems
51. Enhanced NAT
Specify IP used for NAT from source to destination
network
Solves issues with SMTP Sender Policy Framework and other
IP-based authorization policies
Web proxy and NAT-based access rules only
Overrides ISP redundancy load balancing mode
51
52. Forefront TMG Client
Formerly known as ISA Firewall client
Supports all WinSock-based applications
FwcWsp.dll registered with WinSock protocol stack
FwcWsp tracks all WinSock calls
All remote TCP calls sent to FWC listener (TCP 1745)
User information passed on all requests
Use for:
User-based access authentication to non-Web protocols
Complex protocols with secondary connections
52
53. Forefront TMG Client Discovery
Secure discovery using
Active Directory, with
fallback to DHCP and DNS
Secure discovery uses AD to
store discovery information
for domain members
Forefront TMG client and
Web proxy discovery
Allows global and site-
specific markers
Configured using
TmgAdConfig.exe
TmgAdConfig add –site <Site> -type <winsock|webproxy> -url <URL>
53
55. Client-side Configuration Settings
Clients settings stored
in the following files:
Management.ini
Common.ini
Application.ini
Client settings
defined in the
console are delivered
to the client during
restart, and then
every six hours
Manual refresh also
possible
55
56. Client-side Configuration
Users can use the client to
configure HTTPS Inspection
notifications and Automatic
Detection options
56
58. Migration from ISA Server to Forefront TMG
ISA Server SE Forefront TMG SE
Forefront TMG EE
standalone server
ISA Server EE Forefront TMG EMS
ISA Server 2004/2006 settings can be exported to a file and
then imported on Forefront TMG SE or EE
Export confidential information option must be set
ISA Server EE can be migrated to Forefront TMG EMS
No in place upgrade option
ISA Server x86 only, Forefront TMG x64 only
59. Upgrading from Forefront TMG SE to EE
Simply select the Upgrade to Enterprise Edition option
on the System Properties
Enter the Forefront TMG 2010 Enterprise Edition product key
No need to rerun setup
To install an Enterprise Management Server (EMS) for centralized managementInsert the Forefront TMG 2010 DVD into the DVD drive, or run autorun.hta from a shared network drive. On the main setup page, click Run Windows Update. Windows Update might require one or more computer restarts. If the computer restarts, you must relaunch the setup, as described in step 1.On the main setup page, click Run Preparation Tool to launch the Forefront TMG Preparation Tool. For instructions on running the Preparation Tool, see the Microsoft TechNet article Preparing for installation (http://technet.microsoft.com/en-us/library/dd896983.aspx).On the main setup page, click Run Installation wizard to launch the Forefront TMG Installation Wizard.On the Setup Scenarios page, click Enterprise Management Server for centralized array management. On the Installation Path page, specify the Forefront TMG installation path.On the Enterprise Management Server Configuration page: Click Create a new enterprise configuration on this EMS, to create new enterprise policies and policy rules for this installation of EMS.Click Copy an existing enterprise configuration to this EMS, to duplicate the enterprise configuration of an existing EMS to this computer. The configuration copied includes enterprise policies and settings of the arrays of the enterprise.If you selected Create a new enterprise configuration on this EMS, on the Create New Enterprise page, enter the name of the enterprise in the Enterprise name box and a short description of the enterprise in the Description box.If you selected Copy an existing enterprise configuration to this EMS, on the Locate Configuration Storage Server page, enter the fully qualified domain name (FQDN) of the EMS from which to copy the enterprise configuration settings, and then select which user account to use when connecting to the configuration storage server.Important: Before copying the enterprise configuration settings from an existing EMS, on the existing EMS, you must add the new EMS computer to the Replicate configuration storage servers under Computer Sets in Network Objects. On the Forefront TMG Configuration Replicate Source page:Click Replicate over the network to copy settings over the network.Click Copy from the restored backup files to copy settings from a backup folder.On the Enterprise Deployment Environment page, select the membership type of your Forefront TMG Enterprise deployment.Click Single domain deployment if the enterprise computers are in the same domain.Click Workgroup deployment if the enterprise computers reside in a workgroup. You must install a server certificate. For more details on installing server certificates, see Creating certificatesOn the final page, you can select to open the Forefront TMG Management console immediately.
Forefront TMG implements a cache feature to improve performance and response times for Web requests. You configure the cache to contain Web objects that are frequently requested by users. When a user makes a request, the caching mechanism serves the requested object directly from the cache instead of making a request to the Internet. Web caching provides two main benefits:Faster Internet user access – Web requests are served from the cache instead of requiring a connection to a remote Internet server. In Web publishing scenarios, reverse caching speeds up access for Internet users requesting Web content from corporate Web servers published by Forefront TMG 2010.Reduced traffic on the Internet connection – Because frequently requested objects are served from the cache, bandwidth is saved on the Internet connection. In Web publishing scenarios, reverse caching reduces the load on the published Web server.Supported caching typesForefront TMG supports two types of caching:Forward caching – Caches frequently-requested Internet content, and serves it to internal users.Reverse caching – Caches content that is frequently requested from internal Web servers published by Forefront TMG, and serves it to external, remote users. Reverse caching is enabled by default when forward caching is enabled.
Considerations for storing cached contentForefront TMG stores cached content in two locations:In memory (by default, 10% of the RAM is used for caching objects).On disk.Because objects that are cached to memory can be retrieved faster than objects cached to the disk, Forefront TMG stores the most popular content on both the disk and in memory. If the cache content file on the disk is too full to hold a new object, Forefront TMG removes older objects from the cache. It determines which objects to remove from the disk by using a formula that evaluates how old is the object, how often the object is accessed, and its size.When you plan for caching, consider the following:More RAM provides faster performance for serving cached content. In large deployments, it is recommended that a high-performance hard disk is used.You must use a formatted NTFS file system partition for the cache, and the cache drive must be local. When you configure a cache drive, a cache-content file Dir1.cdat is created in the location drive:\\urlcache.The maximum size for the cache file on a single drive is 64 GB.Files larger than 512 MB do not remain in cache upon reboot.You should locate the file on a physical disk other than the disk on which the operating system and Forefront TMG are installed. This reduces contention on the system and boot disk.Forefront TMG cache performance counters provide information about cache memory performance, cache space, and URL handling. Based on this information, you can modify cache settings as required.
To enable caching In the Forefront TMG Management console, in the tree, click the Web Access Policy node, and under Related Tasks, click Configure Web Caching.On the Cache Drives tab, select the server entry, and then click Configure.Select the required drive, and in Maximum cache size, specify the maximum size in megabytes. Click Set to save the setting. Click Reset to set the value back to 0. The maximum size for a single cache file is 64 GB. If you require a larger cache store, you can split it into several files over different drives.To disable caching, set the cache drive size to 0. Check cache rules before disabling caching. Content that is served only from the cache will not be available if caching is disabled. To configure advanced caching properties, leave the Cache Settings dialog box open, and continue with the next procedure. To configure how objects are cached and how expired objects are served from the cache In the Cache Settings dialog box, click the Advanced tab. Leave the default setting Cache objects that have an unspecified last modification time enabled, to specify that pages, or objects that do not have a time stamp of the last modification, can still be cached.Leave the default setting Cache object event if they do not have an HTTP status code of 200, to specify that pages without this status code should be cached. The HTTP 200 status code is an OK response to a Web server that indicates that a request is fulfilled, and that a complete page has been obtained.In Maximum size of URL cached in memory, specify a maximum limit on the size of objects that can be stored in memory. This prevents excessive caching of large objects, such as graphics. A limit that is too low may hinder caching performance, because objects are served more quickly from the memory (RAM) cache.Select Do not return the expired object (return an error page), to specify that negative caching should not be used. Negative caching allows you to specify the circumstances in which expired cache objects should be returned to users, when a required Web server is not available.Select Return the expired object only if expiration was, to indicate that in some circumstances, an expired object should be returned. Then select one of the following:Select At less that this percentage of original Time-To-Live, to specify how long an expired object should be served from the cache, based on a percentage of the original Time-to-Live (TTL). A TTL value is specified in every cache rule you create. For example, if you specify a value of 59, the maximum time period in which the expired object is returned, is 50% of the original TTL setting.Select But no more than (minutes), to indicate that an expired object should not be returned if the expiry time was greater than the specified number of minutes, even if it falls within the TTL setting specified previously.7.In Percentage of free memory to use for caching, specify the percentage of RAM made available for caching. The default is 10 percent.To configure cache rulesIn the Forefront TMG Management console, in the tree, click the Web Access Policy node.On the Tasks tab, click Configure Web Caching.On the Cache Rules tab, click New. Follow the instructions in the wizard, and note the following:On the Cache Content page, by selecting to cache Dynamic content, if the source and request headers indicate caching, Forefront TMG will cache retrieved objects even if they are marked as not cacheable.On the Cache Content page, by selecting to cache Content requiring user authentication for retrieval, if the source and request headers indicate caching, Forefront TMG will cache content requested by authenticated users. Content is then served from the cache without verifying access permissions, and non-authenticated users may be able to access it.On the Cache Advanced Configuration page, the setting Cache SSL Responses applies to SSL bridged traffic. SSL tunneled traffic is not cached. This means that you can cache SSL traffic in reverse caching scenarios, in which internal Web sites are published over SSL, and the SSL request is terminated on the Forefront TMG firewall. Outgoing SSL requests to the Internet cannot be cached.On the HTTP Caching page, the setting Set TTL of objects (% of the content age) instructs Forefront TMG to keep HTTP objects valid in the cache according to TTL settings. TTL settings are based on the TTL defined in the response header, and the TTL boundaries defined in the cache rule. The percent of the content age is a percentage of the time of the content's existence. The higher the percentage, the less frequently the cache is updated.
In arrays, Forefront TMG uses Cache Array Routing Protocol (CARP) to provide a single, logical cache, for all the servers in the array. CARP allows Forefront TMG array members to efficiently balance Web-based client load, and split cached content between them. On the client side, CARP provides client computers with the information and algorithms required to identify which is the best server in the array to serve their request, thus eliminating the need for array members to forward requests between the array members. CARP also supports array server selection by the servers themselves and chained proxies.
In a scenario where you are using ISA Server 2006 with NLB, and you also want to use Kerberos for Web Proxy authentication, you should use Automatic Script Configuration (WPAD) (see the MSDN article Automatic Detection Concepts in ISA Server 2006 http://technet.microsoft.com/en-us/library/bb794779.aspx. However from ISA Server 2000, ISA Server 2004/2006 changed the way that the servers list is built for the configuration file. On ISA Server 2000 (see the MSDN article FPCWebProxy.CARPNameSystem Property http://msdn.microsoft.com/en-us/library/ms822622.aspx) we return the fully-qualified names within the function MakeProxies(). But in ISA 2004 and later, we use the server IP addresses appropriate to the network where the script was requested. This change from fpcNameSystem_DNS to fpcNameSystem_IP for ISA 2004/2006 (see the MSDN article CARPNameSystem Property of IFPCWebProxy[C++] | FPCWebProxy.CARPNameSystem [Visual Basic] http://msdn.microsoft.com/en-us/library/ms826254.aspx) was made to eliminate the common name resolution problems seen in many ISA deployments.With the adoption of Internet Explorer 7 and the option to use Kerberos for Web Proxy authentication, the use of the IP causes Kerberos authentication to fail and the browser falls back to NTLM authentication. To change how the ISA Server 2004 and 2006 will build the script by using the fully-qualified name rather than the IP address, save and run the following script on the ISA Server: Const fpcCarpNameSystem_DNS = 0Const fpcCarpNameSystem_WINS = 1Const fpcCarpNameSystem_IP = 2 Dim oISA: Set oISA = CreateObject( "FPC.Root" )Dim oArray: Set oArray = oISA.GetContainingArrayDim oWebProxy: Set oWebProxy = oArray.ArrayPolicy.WebProxy If fpcCarpNameSystem_DNS = oWebProxy.CarpNameSystem Then WScript.Echo "ISA is already configured to provide DNS names in the WPAD script" WScript.QuitEnd If oWebProxy.CarpNameSystem = fpcCarpNameSystem_DNSoWebProxy.Save true WScript.Echo "ISA was configured to provide DNS names in the WPAD script..." Important: shortly after runing this script, the Firewall service will restart. Therefore we recommend doing this change after business hours.
Today, more and more businesses rely on their Internet Service Providers link (or ISP) to handle their outside Internet world communications. Sending emails, browsing the web and any other web related actions are essential business infrastructure services that are only available as long the ISP line is up and running. Keeping a stable, available and reliable outside Internet connection is one of the critical tasks on every administrator’s check list. Forefront TMG provides a new capability called ISP redundancy which basically enables utilizing not one, but two ISP links for external connectivity—either for traffic load balancing or as a failover backup.Once you’ve passed the initial Forefront TMG setup steps, either by manual configuration or by using the Getting Started Wizard, in the Forefront TMG Management console tree, open the Networking pane, click the ISP Redundancy tab, and click Enable ISP Redundancy to turn this feature on. Clicking Enable ISP Redundancy will open up the configuration wizard. The first configuration step is choosing between two modes of operations:Load Balancing– Network connections are distributed between the two active ISP lines. Load factor between the two links can be configured by sliding the percentage rule from one end to the other (see image 2). Distribution levels are determined by the actual number of connections.Failover– Network connections are routed through the primary ISP Link. The secondary links stays inactive up until the master link connection is broken or disconnected. If the master connection fails the secondary link becomes active by routing the outbound traffic through the second ISP Link. The secondary link will stay active up until the primary link comes back again.Diverting traffic to a specific ISP Link by using NAT rulesWe saw before that we can define explicit IP addresses to be diverted through a specific link. But there are cases where we are required to divert specific internal network subnets through a specific ISP link. Forefront TMG introduces new network rules settings that can be used to configure these requirements. For example, if you want a subnet to be routed through a specific link you can set up a new network rule by clicking on the Forefront TMG console networking node and clicking on the Create a network rule. We’ll set the source and destination for the network, define it as a NAT, and pick the Use selected IP addresses for each network option on the NAT Address Selection step.
The new Forefront TMG client that is available on Forefront TMG is now capable of performing automatic discovery using a record that resides on Active Directory. TMG Client still able to use the traditional methods (DHCP / DNS) for automatic discovery, the difference now is that if both options are enabled on UI (see Figure 1) the auto detection will take effect using the following flow: Forefront TMG client will first try to retrieve information from Active Directory using LDAP query.If the Forefront TMG client is unable to retrieve that information due to an error with the connection, it won’t failover to DHCP / DNS automatic detection methods for security reasons. This reduces the risk that an attacker might try to force fallback to a less secure method by affecting Active Directory marker availability. Active Directory discovery is considered more secure than DHCP/DNS methods.In case that the connection succeeded to Active Directory but no information was found the TMG Client will failover to DHCP and then to DNS.In order to configure Active Directory to support that you should use the TMG Auto-Discovery Configuration Tool (TmgAdConfig.exe). This tool configures an Active Directory with a marker key that points to your Forefront TMG server. This key is going to be used by the TMG Client to locate the Forefront TMG server and connect to it. You can download the TMG AD Configuration Tool from Microsoft Download Center (http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=dff77975-84bf-484f-a3bd-9d8dd800e220, and look for the AdConfigPack.EXE). After download and install on TMG, you can execute the following command line in order to register the AD marker key: tmgadconfig add -default -type winsock -url http://ftmgfw.contoso.com:8080/wspad.dat
Firewall client network settings The following list summarizes settings that are specified for a Forefront TMG network and applied to all Firewall clients located in that network.Enable Firewall client support for this network – Enables a specific network to listen for requests from Firewall clients on port 1745. For configuration instructions, see the Microsoft TechNet article Enabling a network to receive firewall client requests (http://technet.microsoft.com/en-us/library/cc995209.aspx).Name – For a specific network, specifies the fully qualified domain name (FQDN) of the Forefront TMG computer for Firewall clients. Ensure that there is a DNS entry available for clients to resolve this name. If there is no DNS server available, an IP address is required.Use a Web proxy server – Indicates that Firewall clients in the network should use the specified server as a Web proxy if Web browser automatic configuration is enabled.Automatically detect settings – Indicates that the Web browser on Firewall client should automatically detect Web proxy settings. Use automatic configuration script – Specifies that the Web browser on Firewall client computers in the network should obtain settings from a configuration file. The Forefront TMG default configuration file holds information about the proxy server that should be used for the URL request and for the settings specified on the Web Browser tab and the Domains tab. For configuration instructions, see the Microsoft TechNet article Enabling a network to receive firewall client requests (http://technet.microsoft.com/en-us/library/cc995209.aspx).
Firewall client settings are located in the following files on the Firewall client computer:Management.iniCommon.iniApplication.iniCommon.iniThe Common.ini file specifies configuration settings that apply to all applications. The following is an example of a typical Common.ini file:Copy Code [Common] ServerName=ISA_1 Disable=0 Autodetection=0Management.iniThis file contains Firewall Client configuration settings. The following is an example of a typical Management.ini file:Copy Code [WebBrowser] EnableWebProxyAutoConfig=1Application.iniThis file can be created on the client computer with configuration settings for specific Winsock application. Configuration files locationThe location of the configuration files on the client computer is dependent on the operating system. For example, on Windows XP computers, the files are copied to two locations:\\Documents and Settings\\All Users\\Application Data\\Microsoft\\Firewall Client 2004\\Documents and Settings\\username\\Local Settings\\Application data\\Microsoft\\Firewall Client 2004On Windows Vista computers, the files are copied to the following locations:\\Users\\All Users\\Microsoft\\Firewall Client 2004\\Users\\username\\AppData\\Local\\Microsoft\\Firewall Client 2004 Configuring Firewall client settings Configuration settings specified in the Forefront TMG Management console are delivered to the client configuration files as follows:During Firewall client installation.Each time a client computer is restarted. When a manual refresh is triggered on the client computer. Every six hours after an initial refresh is made.In addition, you can manually modify configuration files on the client computer. When modifications are made, the following order of preference is applied:The .ini files in the folder of a specific user take precedence.Firewall client looks next in the All Users folder. If a configuration setting is specified that contradicts the user-specific settings, it is ignored.Firewall client then detects the Forefront TMG to which it should connect, in accordance with the settings specified in the Firewall Client Management dialog box.Firewall client examines the server-level settings. Any configuration settings specified in Forefront TMG are applied. If a configuration setting is specified that contradicts the user-specific or computer-specific settings, it is ignored.
Forefront TMG supports the following migration options: Migrating from Internet Security and Acceleration (ISA) Server 2004 to Forefront TMGMigrating from ISA Server 2006 to Forefront TMGMigrating from Forefront TMG Release Candidate (RC) to Forefront TMG Release to Manufacturing (RTM)Upgrading from Forefront TMG Standard Edition to Enterprise EditionMigration limitationsBefore you migrate, you should be aware of the following:Migration from ISA Server 2004 is supported only for ISA Server 2004 Service Pack 2 and Service Pack 3.If you have enabled the Local Host network to listen for Web proxy client requests, this setting will not be migrated.Customized log field selections are not migrated. When ISA Server 2004/2006 configuration settings are imported, customized log field selections are overwritten with default log field settings.Report configuration settings are not migrated.If you have specified a custom value for the number of times that an event must occur before an alert is triggered, this custom value will not be migrated.Third party add-ons are disabled after upgrade. If you were running a third-party add-on for ISA Server 2004/2006, before re-enabling it, you should contact the vendor to check on the availability of an updated version for Forefront TMG.
To upgrade to the Forefront TMG 2010 Enterprise Edition, purchase a license for your server and get a new product key. To upgrade to Enterprise Edition In the Forefront TMG Management console, in the tree, click the System node.On the System tab, right-click the server, and then click Properties.Click the Product ID tab and then click Upgrade to Enterprise Edition.Enter the Forefront TMG Enterprise Edition product key.Click OK to close the Product Key Entry dialog box, and then click OK to close the Server Properties dialog box.