Contents

Acknowledgments v

Introduction vii

CHAPTER1

UnderstandingForefrontThreatManagementGateway2010 1

AHistoryofPerimeterProtection 1

ForefrontTMGasaPerimeterNetworkDevice 3

NetworkFirewall 3

ForwardandReverseProxy,WebProxy,andWinsockProxyServer 4

WebCachingServer 5

RemoteAccessVPNServer 5

Site-to-SiteVPNGateway 7

SecureEmailGateway 8

ForefrontTMGasaSecureWebGateway 8

NetworkInspectionSystem 10

MalwareInspection 11

HTTPSInspection 13

URLFiltering 15

ForefrontTMGRolewithintheForefrontProtectionSuite 16

ForefrontUnifiedAccessGateway2010 17

ForefrontIdentityManager 18

ForefrontProtectionforExchangeServer 19

ForefrontOnlineProtectionforExchange 19

ForefrontProtection2010forSharePoint 20

AdministratorsPunchList 20

CHAPTER2

InstallingandConfiguringForefrontThreatManagementGateway2010 23

PreparingtoInstallForefrontTMG 23

ChoosingDeploymentOptionsforForefrontTMG 24

MeetingHardwareandSoftwareRequirementsforForefrontTMG 25

SelectingtheForefrontTMGEdition 29

InstallingForefrontTMG 31

ReviewingCompanyRequirements 31

CompletingtheInstallationPhases 32

InstallingForefrontTMG 32

Post-InstallationConfiguration 42

Administrator’sPunchList 55

CHAPTER3

DeployingForefrontTMG2010ServicePack1 57

NewFeaturesinServicePack1 57

PlanningServicePack1Deployment 58

InstallingForefrontTMG2010ServicePack1 59

ConfiguringUserOverrideforURLFiltering 62

ReportingEnhancements 65

BranchOfficeSupport 66

What’sNext? 72

Administrator’sPunchList 73

AbouttheAuthors 75

PUBLISHEDBYMicrosoftPressADivisionofMicrosoftCorporationOneMicrosoftWayRedmond,Washington98052-6399

Copyright©2010byYuriDiogenesandDr.ThomasW.Shinder

Allrightsreserved.Nopartofthecontentsofthisbookmaybereproducedortransmittedinanyformorbyanymeanswithoutthewrittenpermissionofthepublisher.

LibraryofCongressControlNumber:2010936127

PrintedandboundintheUnitedStatesofAmerica.

MicrosoftPressbooksareavailablethroughbooksellersanddistributorsworldwide.Forfurtherinformationaboutinternationaleditions,contactyourlocalMicrosoftCorporationofficeorcontactMicrosoftPressInternationaldirectlyatfax(425)936-7329.VisitourWebsiteatwww.microsoft.com/mspress.Sendcommentstomspinput@microsoft.com.

Microsoftandthetrademarkslistedathttp://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspxaretrademarksoftheMicrosoftgroupofcompanies.Allothermarksarepropertyoftheirrespectiveowners.

Theexamplecompanies,organizations,products,domainnames,e-mailaddresses,logos,people,places,andeventsdepictedhereinarefictitious.Noassociationwithanyrealcompany,organization,product,domainname,e-mailaddress,logo,person,place,oreventisintendedorshouldbeinferred.

Thisbookexpressestheauthor’sviewsandopinions.Theinformationcontainedinthisbookisprovidedwithoutanyexpress,statutory,orimpliedwarranties.Neithertheauthors,MicrosoftCorporation,noritsresellers,ordistributorswillbeheldliableforanydamagescausedorallegedtobecausedeitherdirectlyorindirectlybythisbook.

Acquisitions Editor:Devon MusgraveDevelopmental Editor: Karen SzallProject Editor: Karen SzallEditorial Production: nSight, Inc.Technical Reviewer: Mitch Tulloch; Technical Review services provided by Content Master, a member of CM Group, Ltd.Cover: Tom Draper Design

BodyPartNo.X17-15053

iii

Microsoft is interested in hearing your feedback so we can continually improve our books and learning resources for you. To participate in a brief online survey, please visit:

www.microsoft.com/learning/booksurvey/

What do you think of this book? We want to hear from you!

Contents

Introduction vii

Chapter 1 Understanding Forefront Threat Management Gateway 2010 1AHistoryofPerimeterProtection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

ForefrontTMGasaPerimeterNetworkDevice........................ 3

NetworkFirewall 3

ForwardandReverseProxy,WebProxy,andWinsockProxyServer 4

WebCachingServer 5

RemoteAccessVPNServer 5

Site-to-SiteVPNGateway 7

SecureEmailGateway 8

ForefrontTMGasaSecureWebGateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

NetworkInspectionSystem 10

MalwareInspection 11

HTTPSInspection 13

URLFiltering 15

ForefrontTMGRolewithintheForefrontProtectionSuite. . . . . . . . . . . . . 16

ForefrontUnifiedAccessGateway2010 17

ForefrontIdentityManager 18

ForefrontProtectionforExchangeServer 19

ForefrontOnlineProtectionforExchange 19

ForefrontProtection2010forSharePoint 20

AdministratorsPunchList. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

iv Contents

Chapter 2 Installing and Configuring Forefront Threat Management Gateway 2010 23PreparingtoInstallForefrontTMG. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

ChoosingDeploymentOptionsforForefrontTMG 24

MeetingHardwareandSoftwareRequirementsforForefrontTMG 25

SelectingtheForefrontTMGEdition 29

InstallingForefrontTMG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

ReviewingCompanyRequirements 31

CompletingtheInstallationPhases 32

InstallingForefrontTMG 32

Post-InstallationConfiguration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Administrator’sPunchList. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Chapter 3 Deploying Forefront TMG 2010 Service Pack 1 57NewFeaturesinServicePack1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

PlanningServicePack1Deployment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58

InstallingForefrontTMG2010ServicePack1. . . . . . . . . . . . . . . . . . . . . . . . 59

ConfiguringUserOverrideforURLFiltering. . . . . . . . . . . . . . . . . . . . . . . . .62

ReportingEnhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65

BranchOfficeSupport. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66

What’sNext?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72

Administrator’sPunchList. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Microsoft is interested in hearing your feedback so we can continually improve our books and learning resources for you. To participate in a brief online survey, please visit:

www.microsoft.com/learning/booksurvey/

What do you think of this book? We want to hear from you!

v

Acknowledgments

ThisForefrontprojecttookalmostayeartowriteandresultedinthreeseparatebooksaboutdeployingForefrontproducts.Althoughtheauthorsgetlotsof

credit,therecanbelittledoubtthatwecouldnothaveevenbegun,muchlesscompleted,thisbookwithoutthecooperation(nottomentionthepermission)ofanincrediblylargenumberofpeople.

It’sherethatwe’dliketotakeafewmomentsofyourtimetoexpressourgrati-tudetothefolkswhomadeitallpossible.

With thanks…TothefolksatMicrosoftPresswhomadetheprocessassmoothastheypossiblycould:KarenSzall,DevonMusgrave,andtheircrew.

TotheTMGProductTeamfolks,especiallytoOriYosefiandDavidStrausberg,forhelpingusbyreviewingtheServicePack1chapter.ToallourfriendsfromCSSSecurity,especiallytoBalaNatarajanforreviewingcontent.

From YuriFirstandforemosttoGod,forblessingmylife,leadingmyway,andgivingmethestrengthtotakeonthechallengesasjustanotherstepinlife.Tomyeternalsupporterinallmomentsofmylife:mywifeAlexsandra.Tomydaughterswho,althoughveryyoung,understandwhenIclosetheofficedoorandsay,“I’mreallybusy.”Thanksforunderstanding.Iloveyou,YanneandYsis.

TomyfriendThomasShinder,whomIwasfortunateenoughtomeetthreeyearsago.Thanksforshapingmywritingskillsandalsocontributingtomypersonalgrownwithyourthoughts,advice,andguidance.Withoutadoubt,theselongmonthsworkingonthisprojectwereworthitbecauseofouramazingpartnership.Ican’tforgettothankthetwootherfriendswhowrotetheMicrosoft Forefront Threat Management Gateway Administrator’s Companionwithme:JimHarrisonandMohitSaxena.Theywere,withoutadoubt,thepillarsforthiswritingcareerinwhichI’mnowfullyengaged.Thanks,guys.To,asJimsays,“daBoyz”:Tim“Thor”Mullen,SteveMoffat,andGregMulholland.Youguysareamazing.Thanksforsharingallthetales.

TomyfriendThomasDetznerandallISA/TMGEMEAengineers(includingthegreatfolksfromPFE),thanksforsharingyourknowledgeandallthepartnershipsthatwehavehadovertheseyears.Iwouldalsoliketosaythankstoallmyfriends

vi

fromMicrosoftCSSSecurity(inTexas,NorthCarolina,andWashington)forshar-ingexperienceseveryday,withaspecialthankstoallthegreatengineersfromCSSIndia—youguysarethepillarsofthisteam.Thanksforpushingmewithtoughquestionsandconcerns.Toallthereadersofmyarticlesandblogs,thanksforallthefeedbackthatyouguyssharewithme.IfIkeepwritinginmysparetime,itisbecauseIknowyouarereadingit.ToalltheForefrontMVPs,keepuptheamazingjobthatyouguysdo.Last,butnotleast,tomybuddiesMohitKumar,AlexandreHollanda,DanielMauser,andAlejandroLeal,foryourconsistentsup-portthroughouttheyears.

From TomAsYuridoes,IacknowledgetheblessingsfromGod,whotook“afoollikeme”andguidedmeonapaththatIneverwouldhavechosenonmyown.ThesecondmostimportantacknowledgementImustmakeistomybeautifulwife,DebShin-der,whomIconsidermyhandofGod.Withouther,Idon’tknowwhereIwouldbetoday,exceptthatIknowthattheplacewouldn’tbeanywherenearasgoodastheplaceIamnow.

IalsowanttoacknowledgemygoodfriendYuriDiogenes,myco-writeronthisproject.Yurireallyheldthisprojecttogether.IhadjuststartedworkingforMicrosoftandwaslearningabouttheinsandoutsoftheMicrosoftsystem,andIwasalsotakingonalotofdetailedandcomplexprojectsalongsidethewritingofthisbook.Yurihelpedkeepmefocused,spentalotoftimepointingmeintherightdirection,andessentiallyisresponsibleforenablingmetogetdonewhatIneededtogetdone.Ihavenodoubtthat,withoutYuriguidingthiseffort,itprob-ablyneverwouldhavebeencompleted.

PropsgoouttoJimHarrison,“theKingofTMG,”aswellastoGregMulholland,SteveMoffat,andTimMullen.Youguyswerethemoralauthoritythatdroveustocompletion.Ialsowanttogiveaspecial“shoutout”toMohitSaxena.HisTMGchopsandsenseofhumoralsohelpedusoverthefinishline.

Finally,IwanttothanktheoperatorsofISAserver.organdallthemembersoftheISAserver.orgcommunity.YouguyswerethesparkthatstartedaflaminghotcareerformewithISAServerandthenTMG.Youguysareanever-endinginspira-tionandademonstrationofthepowerofcommunityandwayscommunitiescanworktogethertosolvehardproblemsandsharesolutions.

vii

IntroductionWhenwebeganthisproject,ourintentwastocreatearealworldscenario

thatwouldguideITprofessionalsinusingMicrosoftbestpracticestodeployMicrosoftForefrontThreatManagementGateway(TMG)2010.Wehopeyoufindthatwehaveachievedthatgoal.We’vealsoincludedthemaindeploy-mentscenariosforForefrontTMG,andwetakeadeepdiveintotheinstallationprocessfromtheRTMversiontotheServicePack1version.

Thisbookprovidesadministrativeprocedures,testeddesignexamples,quickanswers,andtips.Inaddition,itcoverssomeofthemostcommondeploymentscenariosanddescribeswaystotakefulladvantageoftheproduct’scapabilities.Thisbookcoverspre-deploymenttasks,useofForefrontTMGinaSecureWebGatewayScenario,softwareandhardwarerequirements,andinstallationandconfiguration,usingbestpracticerecommendations.

Who Is This Book For?Deploying Microsoft Forefront Threat Management Gateway 2010 coverstheplan-ninganddeploymentphasesforthisproduct.Thisbookisdesignedfor:

■ AdministratorswhoaredeployingForefrontTMG

■ AdministratorswhoareexperiencedwithWindowsServer2008ingeneralandwithWindowsnetworkinginparticular

■ CurrentISAServeradministrators

■ AdministratorswhoarenewtoForefrontTMG

■ Technologyspecialists,suchassecurityadministratorsandnetworkadministrators

Becausethisbookislimitedinsizeandwewanttoprovideyouthemaximumvalue,weassumeabasicknowledgeofWindowsServer2008andWindowsnetworking.Thesetechnologiesarenotdiscussedindetail,butthisbookcontainsmaterialonbothofthesetopicsthatrelatestoForefrontTMGadministrativetasks.

How Is This Book Organized?Deploying Microsoft Forefront Threat Management Gateway 2010 iswrittentobeadeploymentguideandalsotobeasourceofarchitecturalinformationrelatedtotheproduct.Thebookisorganizedinsuchawaythatyoucanfollowthesteps

viii

toplananddeploytheproduct.ThestepsarebasedonadeploymentscenarioforthecompanyContoso.Asyougothroughthesteps,youwillalsonoticetipsforbestpracticesimplementation.Attheendofeachchapter,youwillseean“Administrator’sPunchList,”inwhichyouwillfindasummaryofthemainadmin-istrativetasksthatwerecoveredthroughoutthechapter.Thisisaquickchecklisttohelpyoureviewthemaindeploymenttasks.

Thebookisorganizedintothreechapters:Chapter1,“UnderstandingForefrontThreatManagementGateway2010,”introducesyoutothecorecon-ceptsoffirewalls,perimeterprotection,andproxiesandguidesyouthroughtheuseofForefrontTMGasasecurewebgateway.Chapter2,“InstallingandConfiguringForefrontThreatManagementGateway2010,”guidesyouthroughtheproduct’sinstallationandconfiguration.Chapter3,“DeployingForefront2010ServicePack1,”coversthenewfeaturesofServicePack1anddescribeshowtoinstallandconfigurethosefeatures.

WereallyhopeyoufindDeploying Microsoft Threat Management Gateway 2010 usefulandaccurate.Wehaveanopendoorpolicyforemailat mspress.tmgbook@tacteam.net,andyoucancontactusthroughourpersonalblogsandTwitteraccounts:

■ http://blogs.technet.com/yuridiogenesandhttp://blogs.technet.com/tomshinder

■ http://twitter.com/yuridiogenesandhttp://twitter.com/tshinder

Support for This BookEveryefforthasbeenmadetoensuretheaccuracyofthisbook.Ascorrectionsorchangesarecollected,theywillbeaddedtotheO’ReillyMediawebsite.TofindMicrosoftPressbookandmediacorrections:

1. Gotohttp://microsoftpress.oreilly.com.

2. IntheSearchbox,typetheISBNforthebookandclick Search.

3. Selectthebookfromthesearchresults,whichwilltakeyoutothebook’scatalogpage.

4. Onthebook’scatalogpage,underthepictureofthebookcover,clickView/SubmitErrata.

Ifyouhavequestionsregardingthebookorthecompanioncontentthatarenotansweredbyvisitingthebook’scatalogpage,pleasesendthemtoMicrosoftPressbysendinganemailmessagetomspinput@microsoft.com.

ix

We Want to Hear from YouWewelcomeyourfeedbackaboutthisbook.Pleaseshareyourcommentsandideasthroughthefollowingshortsurvey:

http://www.microsoft.com/learning/booksurvey

YourparticipationhelpsMicrosoftPresscreatebooksthatbettermeetyourneedsandyourstandards.

NOTE  We hope that you will give us detailed feedback in our survey. If you have questions about our publishing program, upcoming titles, or Microsoft Press in general, we encourage you to interact with us using Twitter at  http://twitter.com/MicrosoftPress. For support issues, use only the email  address shown earlier.

57

C H A P T E R 3

Deploying Forefront TMG 2010 Service Pack 1■ NewFeaturesinServicePack1 57

■ PlanningServicePack1Deployment 58

■ InstallingForefrontTMG2010ServicePack1 59

■ ConfiguringUserOverrideforURLFiltering 62

■ ReportingEnhancements 65

■ BranchOfficeSupport 66

■ What’sNext? 72

Inthesummerof2010,Microsoftreleasedamajorproductupdate:ForefrontTMG2010ServicePack1(SP1)forMicrosoftForefrontThreatManagementGateway(TMG)2010.ThisservicepackisintendedtonotonlyfixsomeissuesthatweredetectedafterForefrontTMGwasreleased,butalsoaddnewcapabilitiestotheproduct.Thischapterdescribesthenewfeatures,thewaytoinstallForefrontTMG2010SP1,thewaytodeploythecorefeaturesavailableinthisservicepack,andwhat’scomingnext.

New Features in Service Pack 1

ForefrontTMG2010SP1providesimprovementstoForefrontTMGinfourcoreareas:

■ Reporting ForefrontTMG2010SP1changesthelookandfeelofForefrontTMGreportsandaddsanewuseractivityreportthatcanshowmoredetailedinformationaboutthepagesauserbrowsedandtheURLcategoriesthatwererequestedbytheuser.

■ Secure Web Access OneofthemainusesforForefrontTMGisasaSecureWebGateway(SWG).OneofTMG’scorefeatures,calledURLFiltering,isakeycomponentofSWG.ForefrontTMG2010SP1bringsanewcapability,calledURL Filtering User Override,tothisfeature.URLFilteringUserOverrideallowsuserstooverridetheaccessrestrictionsputinplacebytheURLFilteringfeatureimple-mentedbytheTMGadministrator.

58 CHAPTER3 DeployingForefrontTMG2010ServicePack1

■ Branch Office Support ForefrontTMG2010SP1takesadvantageoftheBranchCachefeaturethatisavailableinWindowsServer2008R2.Thisfeatureprovidesbranchofficeuserswithanimprovedbrowsingexperiencewhilereducingbandwidthutilizationbetweenthebranchandmainoffices.

■ Publishing AnewpublishingwizardsupportsSharePoint2010deploymentsthroughForefrontTMG.

Thesefeatureswillbecoveredindetailinthischapter.However,beforewediscussnewfeatures,itisimportanttogetmoredetailsonForefrontTMG2010SP1deployment.

Planning Service Pack 1 Deployment

BeforeinstallingForefrontTMG2010SP1onForefrontTMG,itisnecessarytoplanthedeploymenttoensurethatitgoessmoothly.TheinstallationsequenceandprerequisiteswillvaryaccordingtoyourTMGsetup.TheoverallinstallationprocessisshowninFigure3-1:

FIGURE 3-1

InordertocarryouttheForefrontTMG2010SP1installationprocedurescorrectly,youwillneedtoanswerthefollowingquestions:

■ WhichForefrontTMGversion(EnterpriseorStandard)areyouusing?

■ AretheForefrontTMGfirewallsdeployedasarraymembersorasstand-aloneservers?

■ WhatForefrontTMGrole(EMSorFirewall)isthemachineproviding?

InstallingForefrontTMG2010ServicePack1 CHAPTER3 59

Whenyouhavethisinformation,youcandeterminetheinstallationsequencefromTable3-1.

NOTE  Before you apply Forefront TMG 2010 SP1, create a full backup of your current Forefront TMG configuration. You should also have the latest Windows updates installed on the computer on which TMG is installed.

TABLE 3-1 InstallationbasedontheForefrontTMGsetup

TMG SETUP INSTALLATION ORDER GENERAL NOTES

SingleServer 1. Singleserverinstallationpoint

RegardlessoftheForefrontTMGsetup,alwaysrunthesetupwithanelevatedadministrativelevel.

Array 1. EnterpriseManagementServers(masterandreplicas)

2. Arraymanagers

3. Arraymembers

BeforeyouinstallForefrontTMG2010SP1onForefrontTMGEnterpriseEdition,youmustlogontoEMSusingthecredentialsthatwereusedtoinstallEMSduringtheinitialsetupprocess.Ifyoutrytoinstalltheupdateusingadifferentadministratoraccount,theinstallationmightfail.

Installing Forefront TMG 2010 Service Pack 1

AssumingthatyoudownloadedForefrontTMG2010SP1inEnglish—fromtheMicrosoftDownloadCenter(http://www.microsoft.com/downloads/details.aspx?FamilyID=f0fd5770-7360-4916-a5be-a88a0fd76c7c&displaylang=en) toatemporaryfolder,suchasC:\temp—starttheinstallationbyfollowingthesesteps:

1. ClickStart,right-clickCommandPrompt,andchoosetheRunAsAdministratoroption.

2. Typecd c:\temptoswitchtothetemporaryfolder.

3. TypeTMG-KB981324-AMD64-ENU.msp,andpressEnter.

4. OntheOpenFile–SecurityWarningpage,clickOpen.

5. WhentheWelcomeToTheUpdateForMicrosoftForefrontTMGServicePack1pageappears,asshowninFigure3-2,clickNexttocontinue.

60 CHAPTER3 DeployingForefrontTMG2010ServicePack1

FIGURE 3-2

6. WhentheLicenseAgreementpageappears,readthelicenseagreementandselecttheIAcceptTheTermsInTheLicenseAgreementcheckbox,andthenclickNexttoproceed.

7. TheLocateConfigurationStorageServerpageappears.BecausethisisthefirstForefrontTMGtowhichweareapplyingForefrontTMG2010SP1,theoptiontospec-ifytheconfigurationstorageserverisunavailable(grayedout),asshowninFigure3-3.WhenyouareapplyingForefrontTMG2010SP1onarraymembers,thisoptionwillbeavailablesothatyoucanspecifytheconfigurationstorageserver.ClickNexttocontinue.

FIGURE 3-3

InstallingForefrontTMG2010ServicePack1 CHAPTER3 61

8. WhentheReadyToInstallTheProgrampageappears,clickInstall.

9. Aftertheinstallationisfinished,theInstallationWizardCompletedpageappears,asshowninFigure3-4.ClickFinishtoconcludetheinstallation.

FIGURE 3-4

10. ToconfirmthattheForefrontTMG2010SP1installationisinplace,youcanopentheForefrontTMGManagementconsole,clickSystem,andverifytheForefrontTMGver-sion,whichshouldbe7.0.8108.200,asshowninFigure3-5.

FIGURE 3-5

Administrator's Insight: Troubleshooting an Installation

There are several issues that you might encounter when installing  Forefront TMG 2010 SP1, some of which are documented in the Forefront TMG 2010 SP1 

release notes at (http://technet.microsoft.com/en-us/library/ff717843.aspx#troubleshooting). There may be other problems with the installation that will require troubleshooting. The general rule of thumb is to start troubleshooting the installation by reviewing the error messages presented in the UI, and then go to the Forefront TMG setup logs to track the root causes of the issues. The Forefront TMG Setup Installation logs are located at %windir%\temp, and the ADAM Setup log files are located at %windir%\debug. 

62 CHAPTER3 DeployingForefrontTMG2010ServicePack1

There are two articles on the TMG Team Blog and one on my blog that describe a general approach to troubleshooting installation issues:

■  "Troubleshooting ERROR: Setup failed to install ADAM.\r\n (0x80074e46) and 0x80070643 while trying to install TMG 2010" can be found at http://blogs.technet.com/b/isablog/archive/2010/07/07/troubleshooting-error-setup-failed-to-install-adam-r-n-0x80074e46-and-0x80070643-while-trying-to-install-tmg-2010.aspx.

■  “Another TMG 2010 Installation failure with error 0x80070643” can be found at http://blogs.technet.com/b/isablog/archive/2010/07/13/another-tmg-2010-installation-failure-with-error-0x80070643.aspx.

■  “Unable to install Forefront TMG 2010 – Error 0x80074e46” can be found at http://blogs.technet.com/b/yuridiogenes/archive/2010/08/16/unable-to-install-forefront-tmg-2010-error-0x80074e46.aspx.

Although these articles are not specifically related to Forefront TMG 2010 SP1, they can be used as troubleshooting methodology for your installation process on Forefront TMG.

Configuring User Override for URL Filtering

Inaworldinwhichcomplianceandsecuritypolicyenforcementaregrowingtrends,havingasecureWebgatewaythatreflectsyourITbusinessrequirementsisarealadvantage.OneofthepillarsfortheForefrontTMGSecureWebGatewayscenarioisURLFiltering,whichdirectlyaffectsuserproductivitybyfilteringtraffictounwanteddestinations.AnewenhancementtotheURLFilteringfeature,introducedwithForefrontTMG2010SP1,allowsuserstooverriderestrictedWebaccessandproceedonaper-requestbasis.Thiscanprovideamoreflex-ibleWebaccesspolicybyallowinguserstodecidewhethertoaccessasitethatwasinitiallydeniedtothem.Thiscanhelpreducehelpdeskcalls,especiallyforWebsitesthathavebeenincorrectlycategorized.

Whilethismightsoundtooflexiblewhenthesubjectispolicyenforcement,thefactofthematteristhattheuserwillreceiveawarningthataWebsitebeingenteredisprohibitedandthatenteringtheWebsitewillbelogged.ThiscanhelptorevealuserInternetusagebehaviorwhenaccessingprohibitedWebsites.ThisfeatureusesthelogicillustratedinFigure3-6.

ConfiguringUserOverrideforURLFiltering CHAPTER3 63

FIGURE 3-6

WhenForefrontTMGsendstheDenypage,asillustratedbyStep4,iftheuserclicksOverrideAccessRestriction,ForefrontTMGwillallocatetotheuser'sbrowseracookiethatwillaccompanyallsubsequentWebrequeststothisdomain,andthebrowseristriggeredtoreloadtheURL.OnceForefrontTMGreceivestheWebrequestwiththecookie,itwilleffec-tivelydisabletheblockingruleforthisparticularWebrequest.Itisimportanttounderstandthatthecookiewillremainvalidonlyforthelengthofthebrowsersessionoruntiltheconfig-uredtime-outperiodexpires.Theotherimportantnotesaboutthisfeatureare:

■ Inorderfortheuseroverridefeaturetowork,oneofthesubsequentfirewallpolicyrulesmustallowaccesstotherequesteddestination.

■ UseroverrideconfigurationrequiresthatyoucreateDenyrules;youcannotenableAllowruleswithcategoryexceptionsandthenenableauseroverride.

■ TheuseroverrideoptiononlyworksfortheHTTPprotocol.

■ UseroverrideisnotsupportedforHTTPStraffic.

■ Youcan’tcustomizethecontenttypefortheuseroverridefeature;therulemustapplytoalltypesofHTTPcontent.

Nowthatyouknowhowthecorefunctionalityofthisfeatureworks,thenextstepistoimplementitbyfollowingthesesteps:

1. OpentheForefrontTMGManagementconsole.

2. ClickWebAccessPolicy,right-clicktherulethatdeniesthetraffictoasetofdestina-tions(forthisexamplewewillusethedefaultDenyrulecreatedbytheWebAccessPolicyWizard),andchooseProperties.

3. ClicktheActiontab,andthenselecttheAllowUserOverrideoption,asshowninFigure3-7.

64 CHAPTER3 DeployingForefrontTMG2010ServicePack1

FIGURE 3-7

NOTE  You can also specify a range of time during which the user can stay on the blocked URL. This is the time that the assigned cookie will be valid for the user. 

4. TocustomizetheerrormessagethattheuserwillreceivewhenattemptingtobrowseablockedURL,clickAdvanced.TheActionAdvancedPropertiesdialogboxappears,asshowninFigure3-8.

FIGURE 3-8

5. Typeyourcustommessage,asshowninFigure3-8,clickOK,clickOKagain,andclickApplytocommitthechanges.

Nowthatyou’veimplementedthisfeature,youcanperformatestusingaclientwhoistryingtobrowseaWebsitethatmatchesoneofthecategoriesspecifiedontheDenyruleon

ReportingEnhancements CHAPTER3 65

whichtheuseroverridefeatureisenabled.Theuserwillreceiveanerrormessage,andtheOverrideAccessRestrictionbuttonwillbeavailable,asshowninFigure3-9.

FIGURE 3-9

IMPORTANT  If you don’t have an Allow rule for this destination, the user won’t be able to access this Web site even by clicking Override Access Restriction.

Reporting Enhancements

OneofthemosthighlyanticipatedchangesinForefrontTMG2010SP1istheenhancementtothereportingfeature.ThenewreportdesignchangesthelookandfeelofForefrontTMGreports,andthenewformatprovidesclearerinformation.Figure3-10showsanexampleofthenewreportmainpage.

66 CHAPTER3 DeployingForefrontTMG2010ServicePack1

FIGURE 3-10

NOTE  More sample reports can be found in “Reporting Improvements in Forefront TMG SP1,” at http://blogs.technet.com/b/isablog/archive/2010/08/15/reporting-improvements-in-forefront-tmg-sp1.aspx.

TheuseractivityreportwillcontainmoregranularinformationabouttheWebsitesthattheuservisited,includingtheURLcategoryforeachsite.

NOTE  While writing this book, a Reporting issue was detected after installing TMG SP1. To view the problem and the solution for this problem, review Yuri Diogenes’s answer on the following forum thread: http://social.technet.microsoft.com/Forums/en-US/ForefrontedgeMLR/thread/543b0ef3-68fa-442c-bb3d-a42177809016.

Branch Office Support

ThenewBranchOfficeintegrationfunctionalityusesanewwizardtohelpyoutakeadvan-tageoftheWindowsServer2008R2BranchCacherole.ThisoptionenablesForefrontTMGtoactasHostedCacheServerinabranchofficescenario.TheForefrontTMGUIdashboardforbranchandWebcacheutilizationcanbeusedformonitoring.Toillustratethisfeatureand

BranchOfficeSupport CHAPTER3 67

thecapabilitytouseaRead-OnlyDomainController(RODC)onForefrontTMG,wearegoingtousethetopologyshowninFigure3-11.

FIGURE 3-11

InordertopreparetheRODCyouwillneedto:

■ VerifythatyouhavenetworkconnectivitytotheHeadquartersDomainController(HQDC)andthatyousetthebranchserver'sDNStotheHQDC.

■ IftheRODCroleisalreadyinstalledontheserverlocatedinthebranchoffice,createaslipstreamversionofForefrontTMGwithForefrontTMG2010SP1toinstallontopoftheRODC.IfyoutrytopreparetheRODCwithouttheslipstreamversion,youwillreceivetheerrormessageshowninFigure3-12.

68 CHAPTER3 DeployingForefrontTMG2010ServicePack1

FIGURE 3-12

■ Verifythattheserverlocatedinthebranchofficeisalreadyamemberofthedomain(inthiscaseitisamemberofcontoso.com).

■ Verifythattheserverlocatedinthebranchofficeusesthedomaincontrollerathead-quartersasitsDNSserver.

■ VerifythatthecertificatethatwillbeusedbytheBranchCachefeatureisalreadyinstalledonForefrontTMGunderPersonalStore,whichisunderCertificates(LocalComputer).Rememberthatthecertificatemustbetrustedbytheclientsthatarebe-hindForefrontTMGinthebranchoffice.

Withtheseelementsinplace,thefirststepistoenabletheRODCroleontheserveronwhichForefrontTMGisinstalledtopreparetheforestforRODC.Todothat,theforestmustbeataWindowsServer2003,WindowsServer2008,orWindowsServer2008R2functionallevel.Youmustruntheadprep /rodcprepcommandonthecurrentdomaincontrollerforthedomain.

Afterpreparingtheforest,youwillrunthedcpromocommandontheserveronwhichForefrontTMGwillbeinstalled,andthenfollowthewizard.OntheAdditionalDomainControllerOptionspage,besuretoselecttheRead-OnlyDomainController(RODC)option,asshowninFigure3-13.

BranchOfficeSupport CHAPTER3 69

FIGURE 3-13

Continuetofollowthewizardtocompletethepromotionofthisservertoaread-onlydomaincontroller.

NOTE  For the complete planning and deployment guide for Active Directory RODC,  review the article "Deploying RODCs in Branch Offices" at http://technet.microsoft.com/en-us/library/dd735411(WS.10).aspx.

ThenextstepistoinstallForefrontTMG2010SP1ontheserveronwhichtheRODCisinstalled:

1. Runthefollowingcommandfromanelevatedcommandprompt:

ServerManagerCmd.exe -inputpath <DVD_path>\FPC\PreRequisiteInstallerFiles

\WinRolesInstallSA_Win7.xml -logPath C:\Windows\TEMP\TMG-Prerequisites.log

2. PrepareaForefrontTMG2010SP1slipstreamDVDbyfollowingthesesteps:

• CopytheForefrontTMGDVDandtheForefrontTMG2010SP1MSPfiletoalocaldriveonthetargetcomputer.Forthepurposesofthisexample,let’sassumethisisc:\temp\TMG.Atacommandprompt,typethefollowingcommandandpressEnter.

msiexec /a c:\temp\TMG\FPC\MS_FPC_SERVER.msi /p TMG-KB981324-amd64-ENU.msp /qb

/L*v c:\tmg\log.txt

• Runtheupgradedsetupprogrambytypingc:\temp\TMG\FPC\setup.exeatacommandpromptandpressingEnter.FollowthewizardfortheForefrontTMGinstallation.FormoreinformationonForefrontTMGinstallation,reviewChapter2,“InstallingandConfiguringForefrontThreatManagementGateway2010.”

70 CHAPTER3 DeployingForefrontTMG2010ServicePack1

NOTE  During the installation process, be sure to define the internal network to in-clude the branch subnets and complete the installation. 

TheForefrontTMGinstallationautomaticallyidentifiesthatitisrunningonadomaincon-trollerandenablesthesystempolicythatallowsDCtrafficfromtheinternalnetworktotheForefrontTMGserveraswellasfromtheHQDCs(iftheyareoutsidetheinternalnetwork).

Everybranchaccount(userorcomputer)thatisjoinedtothedomainneedstohaveitspasswordreplicatedtotheRODCforauthentication.Toreplicatethepassword,completethefollowingstepsontheHQDC:

1. IntheActiveDirectoryUsersandComputersconsole,selecttheDomainControllersbranch,right-clickontheRODC,andselectProperties.

2. ClickthePasswordReplicationPolicytab,andthenclickAdd.

3. SelectAllowPasswordsForTheAccountToReplicateToThisRODC,selectallrelevantlocalusersforthisbranch,andthenclickOK.

4. OntheRODC’sPropertiespage,clickAdvanced,andverifythattheuseraccountsyouaddedappearinthelistofAccountsforwhichthepasswordsarestoredonthisRead-onlyDomainController.

5. ActiveDirectorymustcompletereplicatingtheuserinformationtotheRODCbeforeyoucanlogonwiththeseaccounts.

ThenextsteptoconfigurethebranchofficeForefrontTMGistoenableBranchCachesup-port.Toperformthisoperation:

1. OpentheForefrontTMGManagementconsole.

2. ClickFirewallPolicy,andontheTaskPane,clickConfigureBranchCache.

3. IntheBranchCachewindow,selectEnableBranchCache(HostedCacheMode),asshowninFigure3-14.

BranchOfficeSupport CHAPTER3 71

FIGURE 3-14

4. ClicktheAuthenticationtab;clickSelect,asshowninFigure3-15;andthenchoosethecertificatethatwillbepresentedtotheclientcomputersforauthentication.

FIGURE 3-15

72 CHAPTER3 DeployingForefrontTMG2010ServicePack1

5. Optionally,youcanselecttheRequireClientComputersToBeMembersOfTheSameDomainAsForefrontTMGoptionifyouwanttorestricttheaccesstothisfeature.IfForefrontTMGisinaworkgroup,youshouldnotusethisoption.

6. ClickOKtocontinue,andthenclickApplytocommitthechanges.

What’s Next?

Atthetimewewerewritingthischapter,theForefrontTMGproductteamwasfinalizingthenextupdate(post-SP1)forForefrontTMG;itiscalledUpdate1.Update1willincludesomeadditionstotheproduct,suchas:

■ SafeSearch Thisisafeaturethatactsasanautomatedadult-oriented-contentfilterinWebsearchengines,suchasBingandYahoo.SafeSearchisactivatedbytheenduserfromasearchWebpage.ForefrontTMGcanbeusedforSafeSearchenforce-mentwhenorganizationalpolicyrequiresthatallorsomeofitspersonnelperformSafeSearchonly.

NOTE  For more information about the SafeSearch feature, read http://blogs.technet.com/b/isablog/archive/2010/09/21/new-in-forefront-tmg-update-1-safesearch-enforcement.aspx.

■ Multiple Categories for URL Filter ThiscapabilityprovidesawayofcategorizingmultiplecategoriesinasingleURL.Withthisfeature,aForefrontTMGAdministratorwillbeabletocreateaccessrulesthatconsiderallcategoriesreturnedbyMicrosoftReputationServices.Anexampleofusabilityofthisoptionis:asitecanbecategorizedasprimarilya“generalbusiness”site,butalsoasa“Webmail”site.Inthiscase,the“generalbusiness”categoryisrankedhigherthanthe“Webmail”category.So,forex-ample,ifaForefrontTMGAdministratorwantedtoblockWebmail,butcouldn’twithForefrontTMG2010SP1becauseasite’sprimarycategorywasgeneralbusiness,themultiplecategoriesfeatureofUpdate1willallowtheWebmailtobeblocked.

NOTE  For more information about the Multiple URL Categories feature, read http://blogs.technet.com/b/isablog/archive/2010/09/21/new-in-forefront-tmg-update-1-multiple-url-categories.aspx.

■ Improve Support of User Account Control in Patch Installation and Uninstallation Update1willincludeimprovementsintheinstallationanduninstal-lationprocessestoprovideabetterproductexperienceinscenariosinwhichUserAccountControl(UAC)isenabled.

Beyondthesecorechanges,otherminorchangeswillbeincludedinUpdate1.

Administrator’sPunchList CHAPTER3 73

Administrator’s Punch List

Inthischapter,youlearnedaboutthenewfeaturesofForefrontTMG2010SP1andhowtoconfigurethosefeatures,youlearnedabouttheenhancementsincludedinForefrontTMG2010SP1,andyouheardaboutwhat’scomingnextwithUpdate1.WhenpreparingtodeployForefrontTMG2010SP1,keepinmindthefollowingpoints:

■ ReviewyourcurrentenvironmentbeforedeployingForefrontTMG2010SP1.KnowingthecurrentroleofeachForefrontTMGcanassistyouininstallingthisservicepackinthecorrectorder.

■ Inanenterprisescenario,beforeyouinstallForefrontTMG2010SP1,youmustlogontotheEMSusingthesamecredentialsthatwereusedtoinstallEMSduringthesetupprocess.

■ YouwillneedtouseadministrativeelevatedprivilegesinordertoinstallForefrontTMG2010SP1.

■ Ifyouhaveinstallationproblems,reviewtheForefrontTMGinstallationlogsunder%windir%\temp.

■ WhenusingtheURLFilteringUserOverrideoption,besuretoreviewthereportsandlogstoidentifytheuserswhoareusingsitesthatwereinitiallyblockedbyURLFiltering.

■ AfterinstallingForefrontTMG2010SP1,reviewthenewreportdesign,andcreatenewreportsbasedonuseractivity.

■ BesuretoplantheBranchCachedeploymentbeforeenablingit.

■ IftheRODCroleisalreadyinstalledontheserveronwhichForefrontTMG2010SP1willbeinstalled,itwillnotworkwiththeForefrontTMGRTMversion.YouwillneedtocreateaslipstreamversionofForefrontTMG.

■ TopreparefortheRODCinstallation,youmustruntheadprep/rodcprepcommandonthecurrentcontrollerforthedomain.