Deploying Microsoft Forefront Threat Management Gateway 2010ptgmedia.pearsoncmg.com › images ›...
Transcript of Deploying Microsoft Forefront Threat Management Gateway 2010ptgmedia.pearsoncmg.com › images ›...
Contents
Acknowledgments v
Introduction vii
CHAPTER1
UnderstandingForefrontThreatManagementGateway2010 1
AHistoryofPerimeterProtection 1
ForefrontTMGasaPerimeterNetworkDevice 3
NetworkFirewall 3
ForwardandReverseProxy,WebProxy,andWinsockProxyServer 4
WebCachingServer 5
RemoteAccessVPNServer 5
Site-to-SiteVPNGateway 7
SecureEmailGateway 8
ForefrontTMGasaSecureWebGateway 8
NetworkInspectionSystem 10
MalwareInspection 11
HTTPSInspection 13
URLFiltering 15
ForefrontTMGRolewithintheForefrontProtectionSuite 16
ForefrontUnifiedAccessGateway2010 17
ForefrontIdentityManager 18
ForefrontProtectionforExchangeServer 19
ForefrontOnlineProtectionforExchange 19
ForefrontProtection2010forSharePoint 20
AdministratorsPunchList 20
CHAPTER2
InstallingandConfiguringForefrontThreatManagementGateway2010 23
PreparingtoInstallForefrontTMG 23
ChoosingDeploymentOptionsforForefrontTMG 24
MeetingHardwareandSoftwareRequirementsforForefrontTMG 25
SelectingtheForefrontTMGEdition 29
InstallingForefrontTMG 31
ReviewingCompanyRequirements 31
CompletingtheInstallationPhases 32
InstallingForefrontTMG 32
Post-InstallationConfiguration 42
Administrator’sPunchList 55
CHAPTER3
DeployingForefrontTMG2010ServicePack1 57
NewFeaturesinServicePack1 57
PlanningServicePack1Deployment 58
InstallingForefrontTMG2010ServicePack1 59
ConfiguringUserOverrideforURLFiltering 62
ReportingEnhancements 65
BranchOfficeSupport 66
What’sNext? 72
Administrator’sPunchList 73
AbouttheAuthors 75
PUBLISHEDBYMicrosoftPressADivisionofMicrosoftCorporationOneMicrosoftWayRedmond,Washington98052-6399
Copyright©2010byYuriDiogenesandDr.ThomasW.Shinder
Allrightsreserved.Nopartofthecontentsofthisbookmaybereproducedortransmittedinanyformorbyanymeanswithoutthewrittenpermissionofthepublisher.
LibraryofCongressControlNumber:2010936127
PrintedandboundintheUnitedStatesofAmerica.
MicrosoftPressbooksareavailablethroughbooksellersanddistributorsworldwide.Forfurtherinformationaboutinternationaleditions,contactyourlocalMicrosoftCorporationofficeorcontactMicrosoftPressInternationaldirectlyatfax(425)936-7329.VisitourWebsiteatwww.microsoft.com/[email protected].
Microsoftandthetrademarkslistedathttp://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspxaretrademarksoftheMicrosoftgroupofcompanies.Allothermarksarepropertyoftheirrespectiveowners.
Theexamplecompanies,organizations,products,domainnames,e-mailaddresses,logos,people,places,andeventsdepictedhereinarefictitious.Noassociationwithanyrealcompany,organization,product,domainname,e-mailaddress,logo,person,place,oreventisintendedorshouldbeinferred.
Thisbookexpressestheauthor’sviewsandopinions.Theinformationcontainedinthisbookisprovidedwithoutanyexpress,statutory,orimpliedwarranties.Neithertheauthors,MicrosoftCorporation,noritsresellers,ordistributorswillbeheldliableforanydamagescausedorallegedtobecausedeitherdirectlyorindirectlybythisbook.
Acquisitions Editor:Devon MusgraveDevelopmental Editor: Karen SzallProject Editor: Karen SzallEditorial Production: nSight, Inc.Technical Reviewer: Mitch Tulloch; Technical Review services provided by Content Master, a member of CM Group, Ltd.Cover: Tom Draper Design
BodyPartNo.X17-15053
iii
Microsoft is interested in hearing your feedback so we can continually improve our books and learning resources for you. To participate in a brief online survey, please visit:
www.microsoft.com/learning/booksurvey/
What do you think of this book? We want to hear from you!
Contents
Introduction vii
Chapter 1 Understanding Forefront Threat Management Gateway 2010 1AHistoryofPerimeterProtection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
ForefrontTMGasaPerimeterNetworkDevice........................ 3
NetworkFirewall 3
ForwardandReverseProxy,WebProxy,andWinsockProxyServer 4
WebCachingServer 5
RemoteAccessVPNServer 5
Site-to-SiteVPNGateway 7
SecureEmailGateway 8
ForefrontTMGasaSecureWebGateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
NetworkInspectionSystem 10
MalwareInspection 11
HTTPSInspection 13
URLFiltering 15
ForefrontTMGRolewithintheForefrontProtectionSuite. . . . . . . . . . . . . 16
ForefrontUnifiedAccessGateway2010 17
ForefrontIdentityManager 18
ForefrontProtectionforExchangeServer 19
ForefrontOnlineProtectionforExchange 19
ForefrontProtection2010forSharePoint 20
AdministratorsPunchList. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
iv Contents
Chapter 2 Installing and Configuring Forefront Threat Management Gateway 2010 23PreparingtoInstallForefrontTMG. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
ChoosingDeploymentOptionsforForefrontTMG 24
MeetingHardwareandSoftwareRequirementsforForefrontTMG 25
SelectingtheForefrontTMGEdition 29
InstallingForefrontTMG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
ReviewingCompanyRequirements 31
CompletingtheInstallationPhases 32
InstallingForefrontTMG 32
Post-InstallationConfiguration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Administrator’sPunchList. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Chapter 3 Deploying Forefront TMG 2010 Service Pack 1 57NewFeaturesinServicePack1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
PlanningServicePack1Deployment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
InstallingForefrontTMG2010ServicePack1. . . . . . . . . . . . . . . . . . . . . . . . 59
ConfiguringUserOverrideforURLFiltering. . . . . . . . . . . . . . . . . . . . . . . . .62
ReportingEnhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
BranchOfficeSupport. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66
What’sNext?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72
Administrator’sPunchList. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Microsoft is interested in hearing your feedback so we can continually improve our books and learning resources for you. To participate in a brief online survey, please visit:
www.microsoft.com/learning/booksurvey/
What do you think of this book? We want to hear from you!
v
Acknowledgments
ThisForefrontprojecttookalmostayeartowriteandresultedinthreeseparatebooksaboutdeployingForefrontproducts.Althoughtheauthorsgetlotsof
credit,therecanbelittledoubtthatwecouldnothaveevenbegun,muchlesscompleted,thisbookwithoutthecooperation(nottomentionthepermission)ofanincrediblylargenumberofpeople.
It’sherethatwe’dliketotakeafewmomentsofyourtimetoexpressourgrati-tudetothefolkswhomadeitallpossible.
With thanks…TothefolksatMicrosoftPresswhomadetheprocessassmoothastheypossiblycould:KarenSzall,DevonMusgrave,andtheircrew.
TotheTMGProductTeamfolks,especiallytoOriYosefiandDavidStrausberg,forhelpingusbyreviewingtheServicePack1chapter.ToallourfriendsfromCSSSecurity,especiallytoBalaNatarajanforreviewingcontent.
From YuriFirstandforemosttoGod,forblessingmylife,leadingmyway,andgivingmethestrengthtotakeonthechallengesasjustanotherstepinlife.Tomyeternalsupporterinallmomentsofmylife:mywifeAlexsandra.Tomydaughterswho,althoughveryyoung,understandwhenIclosetheofficedoorandsay,“I’mreallybusy.”Thanksforunderstanding.Iloveyou,YanneandYsis.
TomyfriendThomasShinder,whomIwasfortunateenoughtomeetthreeyearsago.Thanksforshapingmywritingskillsandalsocontributingtomypersonalgrownwithyourthoughts,advice,andguidance.Withoutadoubt,theselongmonthsworkingonthisprojectwereworthitbecauseofouramazingpartnership.Ican’tforgettothankthetwootherfriendswhowrotetheMicrosoft Forefront Threat Management Gateway Administrator’s Companionwithme:JimHarrisonandMohitSaxena.Theywere,withoutadoubt,thepillarsforthiswritingcareerinwhichI’mnowfullyengaged.Thanks,guys.To,asJimsays,“daBoyz”:Tim“Thor”Mullen,SteveMoffat,andGregMulholland.Youguysareamazing.Thanksforsharingallthetales.
TomyfriendThomasDetznerandallISA/TMGEMEAengineers(includingthegreatfolksfromPFE),thanksforsharingyourknowledgeandallthepartnershipsthatwehavehadovertheseyears.Iwouldalsoliketosaythankstoallmyfriends
vi
fromMicrosoftCSSSecurity(inTexas,NorthCarolina,andWashington)forshar-ingexperienceseveryday,withaspecialthankstoallthegreatengineersfromCSSIndia—youguysarethepillarsofthisteam.Thanksforpushingmewithtoughquestionsandconcerns.Toallthereadersofmyarticlesandblogs,thanksforallthefeedbackthatyouguyssharewithme.IfIkeepwritinginmysparetime,itisbecauseIknowyouarereadingit.ToalltheForefrontMVPs,keepuptheamazingjobthatyouguysdo.Last,butnotleast,tomybuddiesMohitKumar,AlexandreHollanda,DanielMauser,andAlejandroLeal,foryourconsistentsup-portthroughouttheyears.
From TomAsYuridoes,IacknowledgetheblessingsfromGod,whotook“afoollikeme”andguidedmeonapaththatIneverwouldhavechosenonmyown.ThesecondmostimportantacknowledgementImustmakeistomybeautifulwife,DebShin-der,whomIconsidermyhandofGod.Withouther,Idon’tknowwhereIwouldbetoday,exceptthatIknowthattheplacewouldn’tbeanywherenearasgoodastheplaceIamnow.
IalsowanttoacknowledgemygoodfriendYuriDiogenes,myco-writeronthisproject.Yurireallyheldthisprojecttogether.IhadjuststartedworkingforMicrosoftandwaslearningabouttheinsandoutsoftheMicrosoftsystem,andIwasalsotakingonalotofdetailedandcomplexprojectsalongsidethewritingofthisbook.Yurihelpedkeepmefocused,spentalotoftimepointingmeintherightdirection,andessentiallyisresponsibleforenablingmetogetdonewhatIneededtogetdone.Ihavenodoubtthat,withoutYuriguidingthiseffort,itprob-ablyneverwouldhavebeencompleted.
PropsgoouttoJimHarrison,“theKingofTMG,”aswellastoGregMulholland,SteveMoffat,andTimMullen.Youguyswerethemoralauthoritythatdroveustocompletion.Ialsowanttogiveaspecial“shoutout”toMohitSaxena.HisTMGchopsandsenseofhumoralsohelpedusoverthefinishline.
Finally,IwanttothanktheoperatorsofISAserver.organdallthemembersoftheISAserver.orgcommunity.YouguyswerethesparkthatstartedaflaminghotcareerformewithISAServerandthenTMG.Youguysareanever-endinginspira-tionandademonstrationofthepowerofcommunityandwayscommunitiescanworktogethertosolvehardproblemsandsharesolutions.
vii
IntroductionWhenwebeganthisproject,ourintentwastocreatearealworldscenario
thatwouldguideITprofessionalsinusingMicrosoftbestpracticestodeployMicrosoftForefrontThreatManagementGateway(TMG)2010.Wehopeyoufindthatwehaveachievedthatgoal.We’vealsoincludedthemaindeploy-mentscenariosforForefrontTMG,andwetakeadeepdiveintotheinstallationprocessfromtheRTMversiontotheServicePack1version.
Thisbookprovidesadministrativeprocedures,testeddesignexamples,quickanswers,andtips.Inaddition,itcoverssomeofthemostcommondeploymentscenariosanddescribeswaystotakefulladvantageoftheproduct’scapabilities.Thisbookcoverspre-deploymenttasks,useofForefrontTMGinaSecureWebGatewayScenario,softwareandhardwarerequirements,andinstallationandconfiguration,usingbestpracticerecommendations.
Who Is This Book For?Deploying Microsoft Forefront Threat Management Gateway 2010 coverstheplan-ninganddeploymentphasesforthisproduct.Thisbookisdesignedfor:
■ AdministratorswhoaredeployingForefrontTMG
■ AdministratorswhoareexperiencedwithWindowsServer2008ingeneralandwithWindowsnetworkinginparticular
■ CurrentISAServeradministrators
■ AdministratorswhoarenewtoForefrontTMG
■ Technologyspecialists,suchassecurityadministratorsandnetworkadministrators
Becausethisbookislimitedinsizeandwewanttoprovideyouthemaximumvalue,weassumeabasicknowledgeofWindowsServer2008andWindowsnetworking.Thesetechnologiesarenotdiscussedindetail,butthisbookcontainsmaterialonbothofthesetopicsthatrelatestoForefrontTMGadministrativetasks.
How Is This Book Organized?Deploying Microsoft Forefront Threat Management Gateway 2010 iswrittentobeadeploymentguideandalsotobeasourceofarchitecturalinformationrelatedtotheproduct.Thebookisorganizedinsuchawaythatyoucanfollowthesteps
viii
toplananddeploytheproduct.ThestepsarebasedonadeploymentscenarioforthecompanyContoso.Asyougothroughthesteps,youwillalsonoticetipsforbestpracticesimplementation.Attheendofeachchapter,youwillseean“Administrator’sPunchList,”inwhichyouwillfindasummaryofthemainadmin-istrativetasksthatwerecoveredthroughoutthechapter.Thisisaquickchecklisttohelpyoureviewthemaindeploymenttasks.
Thebookisorganizedintothreechapters:Chapter1,“UnderstandingForefrontThreatManagementGateway2010,”introducesyoutothecorecon-ceptsoffirewalls,perimeterprotection,andproxiesandguidesyouthroughtheuseofForefrontTMGasasecurewebgateway.Chapter2,“InstallingandConfiguringForefrontThreatManagementGateway2010,”guidesyouthroughtheproduct’sinstallationandconfiguration.Chapter3,“DeployingForefront2010ServicePack1,”coversthenewfeaturesofServicePack1anddescribeshowtoinstallandconfigurethosefeatures.
WereallyhopeyoufindDeploying Microsoft Threat Management Gateway 2010 usefulandaccurate.Wehaveanopendoorpolicyforemailat [email protected],andyoucancontactusthroughourpersonalblogsandTwitteraccounts:
■ http://blogs.technet.com/yuridiogenesandhttp://blogs.technet.com/tomshinder
■ http://twitter.com/yuridiogenesandhttp://twitter.com/tshinder
Support for This BookEveryefforthasbeenmadetoensuretheaccuracyofthisbook.Ascorrectionsorchangesarecollected,theywillbeaddedtotheO’ReillyMediawebsite.TofindMicrosoftPressbookandmediacorrections:
1. Gotohttp://microsoftpress.oreilly.com.
2. IntheSearchbox,typetheISBNforthebookandclick Search.
3. Selectthebookfromthesearchresults,whichwilltakeyoutothebook’scatalogpage.
4. Onthebook’scatalogpage,underthepictureofthebookcover,clickView/SubmitErrata.
Ifyouhavequestionsregardingthebookorthecompanioncontentthatarenotansweredbyvisitingthebook’scatalogpage,pleasesendthemtoMicrosoftPressbysendinganemailmessagetomspinput@microsoft.com.
ix
We Want to Hear from YouWewelcomeyourfeedbackaboutthisbook.Pleaseshareyourcommentsandideasthroughthefollowingshortsurvey:
http://www.microsoft.com/learning/booksurvey
YourparticipationhelpsMicrosoftPresscreatebooksthatbettermeetyourneedsandyourstandards.
NOTE We hope that you will give us detailed feedback in our survey. If you have questions about our publishing program, upcoming titles, or Microsoft Press in general, we encourage you to interact with us using Twitter at http://twitter.com/MicrosoftPress. For support issues, use only the email address shown earlier.
57
C H A P T E R 3
Deploying Forefront TMG 2010 Service Pack 1■ NewFeaturesinServicePack1 57
■ PlanningServicePack1Deployment 58
■ InstallingForefrontTMG2010ServicePack1 59
■ ConfiguringUserOverrideforURLFiltering 62
■ ReportingEnhancements 65
■ BranchOfficeSupport 66
■ What’sNext? 72
Inthesummerof2010,Microsoftreleasedamajorproductupdate:ForefrontTMG2010ServicePack1(SP1)forMicrosoftForefrontThreatManagementGateway(TMG)2010.ThisservicepackisintendedtonotonlyfixsomeissuesthatweredetectedafterForefrontTMGwasreleased,butalsoaddnewcapabilitiestotheproduct.Thischapterdescribesthenewfeatures,thewaytoinstallForefrontTMG2010SP1,thewaytodeploythecorefeaturesavailableinthisservicepack,andwhat’scomingnext.
New Features in Service Pack 1
ForefrontTMG2010SP1providesimprovementstoForefrontTMGinfourcoreareas:
■ Reporting ForefrontTMG2010SP1changesthelookandfeelofForefrontTMGreportsandaddsanewuseractivityreportthatcanshowmoredetailedinformationaboutthepagesauserbrowsedandtheURLcategoriesthatwererequestedbytheuser.
■ Secure Web Access OneofthemainusesforForefrontTMGisasaSecureWebGateway(SWG).OneofTMG’scorefeatures,calledURLFiltering,isakeycomponentofSWG.ForefrontTMG2010SP1bringsanewcapability,calledURL Filtering User Override,tothisfeature.URLFilteringUserOverrideallowsuserstooverridetheaccessrestrictionsputinplacebytheURLFilteringfeatureimple-mentedbytheTMGadministrator.
58 CHAPTER3 DeployingForefrontTMG2010ServicePack1
■ Branch Office Support ForefrontTMG2010SP1takesadvantageoftheBranchCachefeaturethatisavailableinWindowsServer2008R2.Thisfeatureprovidesbranchofficeuserswithanimprovedbrowsingexperiencewhilereducingbandwidthutilizationbetweenthebranchandmainoffices.
■ Publishing AnewpublishingwizardsupportsSharePoint2010deploymentsthroughForefrontTMG.
Thesefeatureswillbecoveredindetailinthischapter.However,beforewediscussnewfeatures,itisimportanttogetmoredetailsonForefrontTMG2010SP1deployment.
Planning Service Pack 1 Deployment
BeforeinstallingForefrontTMG2010SP1onForefrontTMG,itisnecessarytoplanthedeploymenttoensurethatitgoessmoothly.TheinstallationsequenceandprerequisiteswillvaryaccordingtoyourTMGsetup.TheoverallinstallationprocessisshowninFigure3-1:
FIGURE 3-1
InordertocarryouttheForefrontTMG2010SP1installationprocedurescorrectly,youwillneedtoanswerthefollowingquestions:
■ WhichForefrontTMGversion(EnterpriseorStandard)areyouusing?
■ AretheForefrontTMGfirewallsdeployedasarraymembersorasstand-aloneservers?
■ WhatForefrontTMGrole(EMSorFirewall)isthemachineproviding?
InstallingForefrontTMG2010ServicePack1 CHAPTER3 59
Whenyouhavethisinformation,youcandeterminetheinstallationsequencefromTable3-1.
NOTE Before you apply Forefront TMG 2010 SP1, create a full backup of your current Forefront TMG configuration. You should also have the latest Windows updates installed on the computer on which TMG is installed.
TABLE 3-1 InstallationbasedontheForefrontTMGsetup
TMG SETUP INSTALLATION ORDER GENERAL NOTES
SingleServer 1. Singleserverinstallationpoint
RegardlessoftheForefrontTMGsetup,alwaysrunthesetupwithanelevatedadministrativelevel.
Array 1. EnterpriseManagementServers(masterandreplicas)
2. Arraymanagers
3. Arraymembers
BeforeyouinstallForefrontTMG2010SP1onForefrontTMGEnterpriseEdition,youmustlogontoEMSusingthecredentialsthatwereusedtoinstallEMSduringtheinitialsetupprocess.Ifyoutrytoinstalltheupdateusingadifferentadministratoraccount,theinstallationmightfail.
Installing Forefront TMG 2010 Service Pack 1
AssumingthatyoudownloadedForefrontTMG2010SP1inEnglish—fromtheMicrosoftDownloadCenter(http://www.microsoft.com/downloads/details.aspx?FamilyID=f0fd5770-7360-4916-a5be-a88a0fd76c7c&displaylang=en) toatemporaryfolder,suchasC:\temp—starttheinstallationbyfollowingthesesteps:
1. ClickStart,right-clickCommandPrompt,andchoosetheRunAsAdministratoroption.
2. Typecd c:\temptoswitchtothetemporaryfolder.
3. TypeTMG-KB981324-AMD64-ENU.msp,andpressEnter.
4. OntheOpenFile–SecurityWarningpage,clickOpen.
5. WhentheWelcomeToTheUpdateForMicrosoftForefrontTMGServicePack1pageappears,asshowninFigure3-2,clickNexttocontinue.
60 CHAPTER3 DeployingForefrontTMG2010ServicePack1
FIGURE 3-2
6. WhentheLicenseAgreementpageappears,readthelicenseagreementandselecttheIAcceptTheTermsInTheLicenseAgreementcheckbox,andthenclickNexttoproceed.
7. TheLocateConfigurationStorageServerpageappears.BecausethisisthefirstForefrontTMGtowhichweareapplyingForefrontTMG2010SP1,theoptiontospec-ifytheconfigurationstorageserverisunavailable(grayedout),asshowninFigure3-3.WhenyouareapplyingForefrontTMG2010SP1onarraymembers,thisoptionwillbeavailablesothatyoucanspecifytheconfigurationstorageserver.ClickNexttocontinue.
FIGURE 3-3
InstallingForefrontTMG2010ServicePack1 CHAPTER3 61
8. WhentheReadyToInstallTheProgrampageappears,clickInstall.
9. Aftertheinstallationisfinished,theInstallationWizardCompletedpageappears,asshowninFigure3-4.ClickFinishtoconcludetheinstallation.
FIGURE 3-4
10. ToconfirmthattheForefrontTMG2010SP1installationisinplace,youcanopentheForefrontTMGManagementconsole,clickSystem,andverifytheForefrontTMGver-sion,whichshouldbe7.0.8108.200,asshowninFigure3-5.
FIGURE 3-5
Administrator's Insight: Troubleshooting an Installation
There are several issues that you might encounter when installing Forefront TMG 2010 SP1, some of which are documented in the Forefront TMG 2010 SP1
release notes at (http://technet.microsoft.com/en-us/library/ff717843.aspx#troubleshooting). There may be other problems with the installation that will require troubleshooting. The general rule of thumb is to start troubleshooting the installation by reviewing the error messages presented in the UI, and then go to the Forefront TMG setup logs to track the root causes of the issues. The Forefront TMG Setup Installation logs are located at %windir%\temp, and the ADAM Setup log files are located at %windir%\debug.
62 CHAPTER3 DeployingForefrontTMG2010ServicePack1
There are two articles on the TMG Team Blog and one on my blog that describe a general approach to troubleshooting installation issues:
■ "Troubleshooting ERROR: Setup failed to install ADAM.\r\n (0x80074e46) and 0x80070643 while trying to install TMG 2010" can be found at http://blogs.technet.com/b/isablog/archive/2010/07/07/troubleshooting-error-setup-failed-to-install-adam-r-n-0x80074e46-and-0x80070643-while-trying-to-install-tmg-2010.aspx.
■ “Another TMG 2010 Installation failure with error 0x80070643” can be found at http://blogs.technet.com/b/isablog/archive/2010/07/13/another-tmg-2010-installation-failure-with-error-0x80070643.aspx.
■ “Unable to install Forefront TMG 2010 – Error 0x80074e46” can be found at http://blogs.technet.com/b/yuridiogenes/archive/2010/08/16/unable-to-install-forefront-tmg-2010-error-0x80074e46.aspx.
Although these articles are not specifically related to Forefront TMG 2010 SP1, they can be used as troubleshooting methodology for your installation process on Forefront TMG.
Configuring User Override for URL Filtering
Inaworldinwhichcomplianceandsecuritypolicyenforcementaregrowingtrends,havingasecureWebgatewaythatreflectsyourITbusinessrequirementsisarealadvantage.OneofthepillarsfortheForefrontTMGSecureWebGatewayscenarioisURLFiltering,whichdirectlyaffectsuserproductivitybyfilteringtraffictounwanteddestinations.AnewenhancementtotheURLFilteringfeature,introducedwithForefrontTMG2010SP1,allowsuserstooverriderestrictedWebaccessandproceedonaper-requestbasis.Thiscanprovideamoreflex-ibleWebaccesspolicybyallowinguserstodecidewhethertoaccessasitethatwasinitiallydeniedtothem.Thiscanhelpreducehelpdeskcalls,especiallyforWebsitesthathavebeenincorrectlycategorized.
Whilethismightsoundtooflexiblewhenthesubjectispolicyenforcement,thefactofthematteristhattheuserwillreceiveawarningthataWebsitebeingenteredisprohibitedandthatenteringtheWebsitewillbelogged.ThiscanhelptorevealuserInternetusagebehaviorwhenaccessingprohibitedWebsites.ThisfeatureusesthelogicillustratedinFigure3-6.
ConfiguringUserOverrideforURLFiltering CHAPTER3 63
FIGURE 3-6
WhenForefrontTMGsendstheDenypage,asillustratedbyStep4,iftheuserclicksOverrideAccessRestriction,ForefrontTMGwillallocatetotheuser'sbrowseracookiethatwillaccompanyallsubsequentWebrequeststothisdomain,andthebrowseristriggeredtoreloadtheURL.OnceForefrontTMGreceivestheWebrequestwiththecookie,itwilleffec-tivelydisabletheblockingruleforthisparticularWebrequest.Itisimportanttounderstandthatthecookiewillremainvalidonlyforthelengthofthebrowsersessionoruntiltheconfig-uredtime-outperiodexpires.Theotherimportantnotesaboutthisfeatureare:
■ Inorderfortheuseroverridefeaturetowork,oneofthesubsequentfirewallpolicyrulesmustallowaccesstotherequesteddestination.
■ UseroverrideconfigurationrequiresthatyoucreateDenyrules;youcannotenableAllowruleswithcategoryexceptionsandthenenableauseroverride.
■ TheuseroverrideoptiononlyworksfortheHTTPprotocol.
■ UseroverrideisnotsupportedforHTTPStraffic.
■ Youcan’tcustomizethecontenttypefortheuseroverridefeature;therulemustapplytoalltypesofHTTPcontent.
Nowthatyouknowhowthecorefunctionalityofthisfeatureworks,thenextstepistoimplementitbyfollowingthesesteps:
1. OpentheForefrontTMGManagementconsole.
2. ClickWebAccessPolicy,right-clicktherulethatdeniesthetraffictoasetofdestina-tions(forthisexamplewewillusethedefaultDenyrulecreatedbytheWebAccessPolicyWizard),andchooseProperties.
3. ClicktheActiontab,andthenselecttheAllowUserOverrideoption,asshowninFigure3-7.
64 CHAPTER3 DeployingForefrontTMG2010ServicePack1
FIGURE 3-7
NOTE You can also specify a range of time during which the user can stay on the blocked URL. This is the time that the assigned cookie will be valid for the user.
4. TocustomizetheerrormessagethattheuserwillreceivewhenattemptingtobrowseablockedURL,clickAdvanced.TheActionAdvancedPropertiesdialogboxappears,asshowninFigure3-8.
FIGURE 3-8
5. Typeyourcustommessage,asshowninFigure3-8,clickOK,clickOKagain,andclickApplytocommitthechanges.
Nowthatyou’veimplementedthisfeature,youcanperformatestusingaclientwhoistryingtobrowseaWebsitethatmatchesoneofthecategoriesspecifiedontheDenyruleon
ReportingEnhancements CHAPTER3 65
whichtheuseroverridefeatureisenabled.Theuserwillreceiveanerrormessage,andtheOverrideAccessRestrictionbuttonwillbeavailable,asshowninFigure3-9.
FIGURE 3-9
IMPORTANT If you don’t have an Allow rule for this destination, the user won’t be able to access this Web site even by clicking Override Access Restriction.
Reporting Enhancements
OneofthemosthighlyanticipatedchangesinForefrontTMG2010SP1istheenhancementtothereportingfeature.ThenewreportdesignchangesthelookandfeelofForefrontTMGreports,andthenewformatprovidesclearerinformation.Figure3-10showsanexampleofthenewreportmainpage.
66 CHAPTER3 DeployingForefrontTMG2010ServicePack1
FIGURE 3-10
NOTE More sample reports can be found in “Reporting Improvements in Forefront TMG SP1,” at http://blogs.technet.com/b/isablog/archive/2010/08/15/reporting-improvements-in-forefront-tmg-sp1.aspx.
TheuseractivityreportwillcontainmoregranularinformationabouttheWebsitesthattheuservisited,includingtheURLcategoryforeachsite.
NOTE While writing this book, a Reporting issue was detected after installing TMG SP1. To view the problem and the solution for this problem, review Yuri Diogenes’s answer on the following forum thread: http://social.technet.microsoft.com/Forums/en-US/ForefrontedgeMLR/thread/543b0ef3-68fa-442c-bb3d-a42177809016.
Branch Office Support
ThenewBranchOfficeintegrationfunctionalityusesanewwizardtohelpyoutakeadvan-tageoftheWindowsServer2008R2BranchCacherole.ThisoptionenablesForefrontTMGtoactasHostedCacheServerinabranchofficescenario.TheForefrontTMGUIdashboardforbranchandWebcacheutilizationcanbeusedformonitoring.Toillustratethisfeatureand
BranchOfficeSupport CHAPTER3 67
thecapabilitytouseaRead-OnlyDomainController(RODC)onForefrontTMG,wearegoingtousethetopologyshowninFigure3-11.
FIGURE 3-11
InordertopreparetheRODCyouwillneedto:
■ VerifythatyouhavenetworkconnectivitytotheHeadquartersDomainController(HQDC)andthatyousetthebranchserver'sDNStotheHQDC.
■ IftheRODCroleisalreadyinstalledontheserverlocatedinthebranchoffice,createaslipstreamversionofForefrontTMGwithForefrontTMG2010SP1toinstallontopoftheRODC.IfyoutrytopreparetheRODCwithouttheslipstreamversion,youwillreceivetheerrormessageshowninFigure3-12.
68 CHAPTER3 DeployingForefrontTMG2010ServicePack1
FIGURE 3-12
■ Verifythattheserverlocatedinthebranchofficeisalreadyamemberofthedomain(inthiscaseitisamemberofcontoso.com).
■ Verifythattheserverlocatedinthebranchofficeusesthedomaincontrollerathead-quartersasitsDNSserver.
■ VerifythatthecertificatethatwillbeusedbytheBranchCachefeatureisalreadyinstalledonForefrontTMGunderPersonalStore,whichisunderCertificates(LocalComputer).Rememberthatthecertificatemustbetrustedbytheclientsthatarebe-hindForefrontTMGinthebranchoffice.
Withtheseelementsinplace,thefirststepistoenabletheRODCroleontheserveronwhichForefrontTMGisinstalledtopreparetheforestforRODC.Todothat,theforestmustbeataWindowsServer2003,WindowsServer2008,orWindowsServer2008R2functionallevel.Youmustruntheadprep /rodcprepcommandonthecurrentdomaincontrollerforthedomain.
Afterpreparingtheforest,youwillrunthedcpromocommandontheserveronwhichForefrontTMGwillbeinstalled,andthenfollowthewizard.OntheAdditionalDomainControllerOptionspage,besuretoselecttheRead-OnlyDomainController(RODC)option,asshowninFigure3-13.
BranchOfficeSupport CHAPTER3 69
FIGURE 3-13
Continuetofollowthewizardtocompletethepromotionofthisservertoaread-onlydomaincontroller.
NOTE For the complete planning and deployment guide for Active Directory RODC, review the article "Deploying RODCs in Branch Offices" at http://technet.microsoft.com/en-us/library/dd735411(WS.10).aspx.
ThenextstepistoinstallForefrontTMG2010SP1ontheserveronwhichtheRODCisinstalled:
1. Runthefollowingcommandfromanelevatedcommandprompt:
ServerManagerCmd.exe -inputpath <DVD_path>\FPC\PreRequisiteInstallerFiles
\WinRolesInstallSA_Win7.xml -logPath C:\Windows\TEMP\TMG-Prerequisites.log
2. PrepareaForefrontTMG2010SP1slipstreamDVDbyfollowingthesesteps:
• CopytheForefrontTMGDVDandtheForefrontTMG2010SP1MSPfiletoalocaldriveonthetargetcomputer.Forthepurposesofthisexample,let’sassumethisisc:\temp\TMG.Atacommandprompt,typethefollowingcommandandpressEnter.
msiexec /a c:\temp\TMG\FPC\MS_FPC_SERVER.msi /p TMG-KB981324-amd64-ENU.msp /qb
/L*v c:\tmg\log.txt
• Runtheupgradedsetupprogrambytypingc:\temp\TMG\FPC\setup.exeatacommandpromptandpressingEnter.FollowthewizardfortheForefrontTMGinstallation.FormoreinformationonForefrontTMGinstallation,reviewChapter2,“InstallingandConfiguringForefrontThreatManagementGateway2010.”
70 CHAPTER3 DeployingForefrontTMG2010ServicePack1
NOTE During the installation process, be sure to define the internal network to in-clude the branch subnets and complete the installation.
TheForefrontTMGinstallationautomaticallyidentifiesthatitisrunningonadomaincon-trollerandenablesthesystempolicythatallowsDCtrafficfromtheinternalnetworktotheForefrontTMGserveraswellasfromtheHQDCs(iftheyareoutsidetheinternalnetwork).
Everybranchaccount(userorcomputer)thatisjoinedtothedomainneedstohaveitspasswordreplicatedtotheRODCforauthentication.Toreplicatethepassword,completethefollowingstepsontheHQDC:
1. IntheActiveDirectoryUsersandComputersconsole,selecttheDomainControllersbranch,right-clickontheRODC,andselectProperties.
2. ClickthePasswordReplicationPolicytab,andthenclickAdd.
3. SelectAllowPasswordsForTheAccountToReplicateToThisRODC,selectallrelevantlocalusersforthisbranch,andthenclickOK.
4. OntheRODC’sPropertiespage,clickAdvanced,andverifythattheuseraccountsyouaddedappearinthelistofAccountsforwhichthepasswordsarestoredonthisRead-onlyDomainController.
5. ActiveDirectorymustcompletereplicatingtheuserinformationtotheRODCbeforeyoucanlogonwiththeseaccounts.
ThenextsteptoconfigurethebranchofficeForefrontTMGistoenableBranchCachesup-port.Toperformthisoperation:
1. OpentheForefrontTMGManagementconsole.
2. ClickFirewallPolicy,andontheTaskPane,clickConfigureBranchCache.
3. IntheBranchCachewindow,selectEnableBranchCache(HostedCacheMode),asshowninFigure3-14.
BranchOfficeSupport CHAPTER3 71
FIGURE 3-14
4. ClicktheAuthenticationtab;clickSelect,asshowninFigure3-15;andthenchoosethecertificatethatwillbepresentedtotheclientcomputersforauthentication.
FIGURE 3-15
72 CHAPTER3 DeployingForefrontTMG2010ServicePack1
5. Optionally,youcanselecttheRequireClientComputersToBeMembersOfTheSameDomainAsForefrontTMGoptionifyouwanttorestricttheaccesstothisfeature.IfForefrontTMGisinaworkgroup,youshouldnotusethisoption.
6. ClickOKtocontinue,andthenclickApplytocommitthechanges.
What’s Next?
Atthetimewewerewritingthischapter,theForefrontTMGproductteamwasfinalizingthenextupdate(post-SP1)forForefrontTMG;itiscalledUpdate1.Update1willincludesomeadditionstotheproduct,suchas:
■ SafeSearch Thisisafeaturethatactsasanautomatedadult-oriented-contentfilterinWebsearchengines,suchasBingandYahoo.SafeSearchisactivatedbytheenduserfromasearchWebpage.ForefrontTMGcanbeusedforSafeSearchenforce-mentwhenorganizationalpolicyrequiresthatallorsomeofitspersonnelperformSafeSearchonly.
NOTE For more information about the SafeSearch feature, read http://blogs.technet.com/b/isablog/archive/2010/09/21/new-in-forefront-tmg-update-1-safesearch-enforcement.aspx.
■ Multiple Categories for URL Filter ThiscapabilityprovidesawayofcategorizingmultiplecategoriesinasingleURL.Withthisfeature,aForefrontTMGAdministratorwillbeabletocreateaccessrulesthatconsiderallcategoriesreturnedbyMicrosoftReputationServices.Anexampleofusabilityofthisoptionis:asitecanbecategorizedasprimarilya“generalbusiness”site,butalsoasa“Webmail”site.Inthiscase,the“generalbusiness”categoryisrankedhigherthanthe“Webmail”category.So,forex-ample,ifaForefrontTMGAdministratorwantedtoblockWebmail,butcouldn’twithForefrontTMG2010SP1becauseasite’sprimarycategorywasgeneralbusiness,themultiplecategoriesfeatureofUpdate1willallowtheWebmailtobeblocked.
NOTE For more information about the Multiple URL Categories feature, read http://blogs.technet.com/b/isablog/archive/2010/09/21/new-in-forefront-tmg-update-1-multiple-url-categories.aspx.
■ Improve Support of User Account Control in Patch Installation and Uninstallation Update1willincludeimprovementsintheinstallationanduninstal-lationprocessestoprovideabetterproductexperienceinscenariosinwhichUserAccountControl(UAC)isenabled.
Beyondthesecorechanges,otherminorchangeswillbeincludedinUpdate1.
Administrator’sPunchList CHAPTER3 73
Administrator’s Punch List
Inthischapter,youlearnedaboutthenewfeaturesofForefrontTMG2010SP1andhowtoconfigurethosefeatures,youlearnedabouttheenhancementsincludedinForefrontTMG2010SP1,andyouheardaboutwhat’scomingnextwithUpdate1.WhenpreparingtodeployForefrontTMG2010SP1,keepinmindthefollowingpoints:
■ ReviewyourcurrentenvironmentbeforedeployingForefrontTMG2010SP1.KnowingthecurrentroleofeachForefrontTMGcanassistyouininstallingthisservicepackinthecorrectorder.
■ Inanenterprisescenario,beforeyouinstallForefrontTMG2010SP1,youmustlogontotheEMSusingthesamecredentialsthatwereusedtoinstallEMSduringthesetupprocess.
■ YouwillneedtouseadministrativeelevatedprivilegesinordertoinstallForefrontTMG2010SP1.
■ Ifyouhaveinstallationproblems,reviewtheForefrontTMGinstallationlogsunder%windir%\temp.
■ WhenusingtheURLFilteringUserOverrideoption,besuretoreviewthereportsandlogstoidentifytheuserswhoareusingsitesthatwereinitiallyblockedbyURLFiltering.
■ AfterinstallingForefrontTMG2010SP1,reviewthenewreportdesign,andcreatenewreportsbasedonuseractivity.
■ BesuretoplantheBranchCachedeploymentbeforeenablingit.
■ IftheRODCroleisalreadyinstalledontheserveronwhichForefrontTMG2010SP1willbeinstalled,itwillnotworkwiththeForefrontTMGRTMversion.YouwillneedtocreateaslipstreamversionofForefrontTMG.
■ TopreparefortheRODCinstallation,youmustruntheadprep/rodcprepcommandonthecurrentcontrollerforthedomain.