Network Protection - Download Center - Microsoft

brokenroomNetworking and Communications

Nov 21, 2013 (3 years and 4 months ago)

109 views




Network Protection

In a
Dynamic

network environment, n
etwork security is automated and proactive
.

C
entralized alerting
and reporting
help the organization
meet network protection
service

level agreements
, and n
etwork
security, alerts, and compliance are integrated with all other company tools to provide a complete and
company
-
wide scorecard view and threat assessment.

This white paper describes major steps and tasks
that an organiz
ation can take to move from a
Rationalized

to a
Dynamic

network security
infrastructure.

Capability:
Data Center Services

Server Security

Applies to: Windows Server 2008 R2
, Forefront Threat Management Gateway

(TMG) 2010

Attributes:
Network Protection

Auth
or: Steve Suehring

Published:
October

2010



ii

Disclaimer

This document is provided “as
-
is.” Information and views expressed in this document, including URL and
other Internet Web site references, may change without notice. You bear the risk of using it.

Som
e examples depicted herein are provided for illustration only and are fictitious. No real association
or connection is intended or should be inferred.

This document does not provide you with any legal rights to any intellectual property in any Microsoft
product. You may copy and use this document for your internal, reference purposes.

© 20
10

Microsoft. All rights reserved.




iii

Contents

Introduction

................................
................................
................................
................................
..................

1

Network Protection

................................
................................
................................
................................
..

1

Steps to a Dynamic Environment

................................
................................
................................
..............

2

Design Forefront Deployment

................................
................................
................................
......................

3

Identify and Map Your Installation Goals

................................
................................
................................
.

3

Identify and Map Your High
-
Availability and Scalability Deployment Goals

................................
............

5

Identify and Map Your Internet and Remote Access Design Goals

................................
..........................

6

Identify and Map Y
our Protection Design Goals

................................
................................
.......................

7

Identify and Map Your Administration Goals

................................
................................
...........................

9

Perform Preinstallation Tasks

................................
................................
................................
.......................

9

Prepare for Installation

................................
................................
................................
...............................

11

Inst
all in Interactive Mode

................................
................................
................................
..........................

12

Install an Enterprise Management Server for Centralized Management

................................
...................

13

Install Forefront TMG Service Pack 1

................................
................................
................................
..........

15

Configure Deployment Settings

................................
................................
................................
..................

17

Configure Network Settings

................................
................................
................................
....................

18

Configure Server and System Settings

................................
................................
................................
....

18

Configure Deployment Settings

................................
................................
................................
..............

19

Configure Networks and Routing

................................
................................
................................
................

20

Define Network Rules

................................
................................
................................
.............................

21

Define Network Adapters

................................
................................
................................
.......................

21

Enab
le ISP Redundancy

................................
................................
................................
...........................

22

Configure Client Computers

................................
................................
................................
........................

23

Create an Enterprise Array
................................
................................
................................
..........................

24

Monitor, Alert, and Report

................................
................................
................................
.........................

25

Conclusion

................................
................................
................................
................................
...................

26



Introduction

Microsoft Infrastructure Optimization (IO) is
based on
three information technology
(IT)
models: Core
IO
, Application Platform
optimization
, and Business Productivity
IO
. Each of these models contains
four
levels of process maturity and capability classifications as logical groupings of requirements for each
level of maturity. Core IO focuses on the foundational elements of IT services and components
. Maturity
levels in Core IO are Basic, Standardized,
Rationalized, and Dynamic. This guide contains checklists to
help move from the Rationalized level to the Dynamic level for the Network Protection sub
-
workload in
the Core IO model.

See
Infrastructure Optimization

at
http://www.microsoft.com/infrastructure/

for
more information about Core IO.

Network Protection

In a
Standardized

IT environment,
networks are protected by
multiple products
;

f
irewall
s
, intrusion
prevention systems, gateway an
ti
-
virus, and web filtering

technologies are often supplied from a
number of different vendors
.

Rationalized

IT environment
s

integrate
products
,

and all of them
are
deployed with support for server and domain isolation.

Dynamic IT environments use centrali
zed alerting and reporting to meet network protection service

level agreements.
They use
scorecard view
s

and threat assessment
s
to see an updated, visual
representation of the current protection status and network health
. The

accuracy
of these tools
is
ens
ured
because all security, alerting, and compliance products are integrated.

Microsoft Forefront Threat Management Gateway
(TMG)
2010 provides an enterprise
-
ready

solution for
management of network security

with a

comprehensive
set of monitoring, alerting,

and reporting
capabilities built in.

Using the Forefront TMG dashboard you can view
threat status in
real

time, receive
alerts, and configure automated handling of alert responses.


2

Steps to a Dynamic Environment


Figure 1
.

Major
s
teps for
m
oving toward
d
ynamic
n
etwork
p
rotection

This guide will help you install and use Forefront TMG to move your network security to the Dynamic
level. Forefront TMG, when combined with the upcoming release of Microsoft System Center, will
provide additional integration fun
ctionality for Dynamic IT organizations.
Figure 1 provides an overview
of the major steps in this process, and the remainder of this document provides a
task
-
by
-
task checklist

corresponding to each
major step.

3

Design
Forefront Deployment


Figure 2
.

Design

Forefront
d
eployment

Before you begin, it is
important to identify the areas involved in a Forefront TMG deployment.

Consider
the following
:



Installation
g
oals



High
-
a
vailability
g
oals



Remote
a
ccess



Protection
d
esign



Administration

Each of these items will be addressed using
the
checklists

found in Tables 1 through 5
.

Prior to
completing these
steps,
you should be familiar with
Forefront T
MG

and the Forefront family.

After
completion, you will
be able to begin deployment of Forefront TMG
.

This flow is shown in Figure 2
.

Identify and
Map Y
our
I
nstallation
G
oals

Table 1
describes the tasks related to identifying and mapping your installation goals. If
you are
not
already familiar with the concepts, you should review the important concepts related to Forefront TMG
on the
Forefront TMG

web site.

Table 1
.

Identify and
Map Your Installation Goals


Task

Description

Reference



Plan for migration
.

Use
the
Planning for migration

reference i
f your
installation goal is migration from ISA Server 2004
or 2006, a Forefront release candidate, or
an
upgrade from Forefront TMG Standard Edition to
Enterprise Edition
.

Planning for
migration



Plan for installation
.

If you

a
re
deploying
Forefront TMG
,
understand
ing

the options that are available for a new installation
will help
you
determine
the most

appropriate
configuration
for your environment.

Planning to install
Forefront TMG



Provision server
Before you install Forefront TMG, review
the
Forefront TMG 2010
4


Task

Description

Reference

hardware
.

hardware recommendations

to ensure that your
hardware is sufficient for your deployment. The
hardware requirements for servers running
Forefront TMG vary, and are dependent on a
number of factors

which are detailed in the
referenced link.

hardware
recommendations



䥮瑥g牡瑥

Fo牥晲on琠
呍G

楮to整wo牫
.

剥Ri敷 瑨攠湥瑷o牫r瑯po汯gy⁲ comm敮e慴aons



獥汥st⁴h攠Fo牥晲ont⁔M䜠G整wo牫r瑯pology⁴ha琠楳i
mo獴s獵s瑡扬攠fo爠rou爠數楳i楮g整 o牫r
慮d⁩ 猠
獥su物瑹⁲ qu楲im敮e献

P污ln楮g⁆ 牥晲on琠
呍䜠G整wo牫
瑯pology



D整敲e楮攠
d数eoym敮e
敮e楲潮m敮t
.

Du物rg⁩湳瑡汬慴aonⰠ,ou⁣慮
捨co獥s
瑯⁤数 oy
䙯牥晲on琠TM䜠䕮瑥牰E楳攠in⁡

dom慩a⁥nv楲潮m敮eⰠ
o爠楮⁡ wo牫r牯up 敮e楲onm敮琮e
周攠睯r歧koup⁡湤
dom慩a 捯n獩se牡瑩on猠桥sp

you 獥汥s琠you爠
d数eoym敮e⁥nv楲潮m敮琬 b慳敤n 瑨攠t敶敲慬e
捯n獩s敲慴eons

睨楣w⁡牥⁥硰x慩a敤⁩e⁴h攠
牥晥牥nc敤楮欮

坯牫rroup⁡湤
dom慩a
捯n獩s敲慴eons



P牥灡牥⁣敲瑩晩捡瑩on
楮晲慳瑲f捴畲c
.

剥Ri敷 瑨攠
c敲瑩晩捡瑩tn⁩湦牡獴牵捴畲c
p污l⸠
䙯牥晲on琠TM䜠畳敳e坩Wdo睳

卥Sv敲

2008⁁捴 ve
D楲散瑯ry⁃ 牴楦r捡c攠卥Sv楣敳e⡁D

䍓⤠瑯⁩獳略⁡湤
m
慮慧攠捥牴楦ic慴as
瑨慴⁡r攠
u獥搠楮⁳敶敲慬e
獣sn慲aos

睨楣w⁡牥r數p污ln敤⁩e⁴h攠r敦er敮捥搠
汩nk
.

P污ln楮g⁦ 爠r敲e敲e
捥牴楦i捡瑥s



䍯n瑲o氠䙯r敦eon琠
呍䜠慤m楮楳i敲楮g
慮d⁡畤楴楮g.

䙯牥晲on琠TM䜠灲ov楤敳erol敳e景爠慤浩湩s瑥物rg⁡湤
慵d楴楮g⁦ 爠愠獩湧汥⁳ rv敲e⁡渠慲牡y映獥sv敲猬r
mu汴楰汥⁡牲慹a
.

䅢ou琠䙯r敦eon琠TM䜠
牯汥猠慮d
p敲e楳獩ons



P牥灡牥⁤ m慩a
n慭攠r敳o汵瑩tn
楮晲慳瑲f捴畲攮

䙯爠摯m慩a me⁲ so汵瑩onⰠ
䙯牥晲on琠呍G⁲ 汩e猠
on⁴he⁓敲 敲eDom慩a⁎ m攠卹獴em
DN匩⁦o爠扯瑨t
楮bound⁡湤u瑢tund⁴r慦晩挮
剥v楥i⁴h攠i瑥m猠
牥污瑥搠瑯⁰污nn楮g

dom慩a慭e⁲ so汵瑩on⁦ r
䙯牥晲on琠TM䜮

P污ln楮g⁦ 爠rom慩a
n慭攠r敳o汵瑩tn



P牥灡牥⁩湴敲 慬a
捯mpu瑥牳r瑯
捯mmun楣i瑥 睩瑨w
瑨攠䙯r敦牯n琠TM䜠
䙩牥r慬a⁣汩敮琠eompu瑥牳ra牥r楮瑥牮慬a捯mpu瑥r猠
瑨慴⁣ommun楣慴攠睩瑨⁴he⁆ 牥晲on琠呍G
獥sv敲e

䅢ou琠晩fe睡汬⁣汩敮琠
捯mpu瑥牳

5


Task

Description

Reference

server.



䕮慢汥⁩湴敲湡氠
捯mpu瑥牳r
fo爠
坥b
p牯硹

d整散eion
.

䥮瑥牮慬⁣omput敲猠楮 瑷o牫猠灲ot散e敤⁢礠
䙯牥晲on琠TM䜠捡c⁡畴oma瑩捡汬y⁤整散琠瑨攠

捡瑩on o映fhe⁆ r敦牯n琠TM䜠G敲e敲e瑨ty⁳ ou汤
u獥s慳⁡⁗敢⁰eoxy.

P污ln楮g⁡畴 m慴a挠
坥b⁰牯硹⁤整 捴con

Identify and
Map Y
our
H
igh
-
A
vailability and
S
calability
D
eployment
G
oals

Table 2
describes how
to plan the high availability aspects of your Forefront TMG deployment.

Table 2
.

Identify and
Map Your High
-
Availability
and
Scalability Deployment Goals


Task

Description

Reference



Ensure the operational
continuity of the
Forefron
t TMG
deployment and meet
increasing performance
demands.

Plan the
Forefront TMG deployment

according to
your availability and scalability needs, by using a
Forefront TMG array or number of arrays
.

Planning for
Forefront TMG
server high
availability and
scalability



Ensure uninterrupted
connection to the
Internet.

Review the high
-
availability options

to help the
Forefront TMG administrator ensure uninterrupted
connection to the Internet
. This is relevant for

organizations where:



Forefront TMG is deployed at the network edge,
thus serving as the organization’s gateway to the
Internet.



Connection to the

Internet is provided by two
Internet
service providers
(ISPs).


Planning for
Internet service
provider high
availability



Enable high availability
of servers in a published
Web ser
ver farm, for
inbound access.

W
hen you publish a farm of Web servers that
perform the same role or host the same content, you
can enable high availability for inbound access by
configuring Forefront TMG to control the load
balancing among the servers in th
e farm. Load
balancing ensures that requests are distributed
evenly among the available Web servers, detects
offline servers, implements failover, and maintains
farm servers,
all
without disrupting current endpoint
connections.

About Web
publishing load
balancing

6

Identify and
M
ap
Y
our Internet and
R
emote
A
ccess
D
esign
G
oals

Table 3
describes how
to create the plan for remote access with Forefront TMG.

Table 3
.

Identify and
Map Your Internet
and
Remote Access Design Goals


Task

Description

Reference



Prepare authentication
infrastructure.

Forefront TMG can allow or deny Web access to
resources based on user authentication.

Use this
task to prepare the authentication
infrastructure.

Overview of
authentication in
Forefront TMG



Control access to and
from your internal
network.

Create a plan to

control access to and from your
internal network. For
efront TMG controls and
protects internal network access by inspecting and
filtering traffic between the internal network and
the Internet, between networks, and between the
Forefront TMG server and services with which it
communicates.

Planning to
control network
access



Control and protect
internal users
who access
the Internet.

Create a plan for web access.

Forefront TMG
provides web access control and protection for
internal users

accessing the Internet, by providing
authentication, packet filtering, stateful inspection,
and application layer filtering.

Planning for web
access



Make internal
applications and

services
available to internal and
external users.

Forefront TMG publishing enables you to make
internal applications and services available to both
internal and external users.

Review the options for
application publishing.

Planning for
publishing



Improve performance
and response times for
web requests from the
Internet and from
published web servers.

Forefront TMG implements a caching mechanism
to improve performance and response

times for
Web requests from the Internet, and from
published Web servers.


Planning to cache
Web content



Improve performance
and response times for
branch office clients that
request content over a
wide area network

(
WAN
)
.

Create a plan for using BranchCache with your
Forefront TMG deployment.

BranchCache is a WAN bandwidth optimization
technology that is included in some editions of the
Windows Server 2008 R2 and Windows 7
ope
rating systems. To optimize WAN bandwidth
utilization, BranchCache copies content from your
main office content servers and caches the content
Planning for
BranchCache
(SP1)

7

at branch office locations, thus allowing client
computers at branch offices to access the content
locally rather

than over the WAN.



䕮慢汥⁣o獴
-
敦e散eiv攬
獥su牥Ⱐremo瑥⁡捣c獳⁴o
you爠楮t敲湡氠湥瑷o牫r

坩瑨⁴桥
䙯r敦牯nt⁔M䜠Gompu瑥爠慳⁴he
v楲瑵慬
p物癡瑥
n整wo牫

VPN
)

獥sv敲Ⱐ
瑨t

co牰o牡r攠
n整wo牫r
楳⁰牯t散e敤e
晲om m慬a捩ou猠sPN
捯nn散eion献

R敶i敷⁴h攠op瑩tn猠so爠rPN⁡捣敳猠
睩瑨⁆wr敦eon琠TM䜮

P污ln楮g⁦ 爠
v楲瑵慬⁰物r慴a
n整wo牫r



䕮慢汥⁴h攠us攠o映
䥮瑥牮整 瑥汥lhony.

噯楣iv敲eIP
VoIP⤠楳⁵獥 ⁩渠䥮瑥牮整⁴敬数eony
瑯 瑲慮獭i琠vo楣攠慮d v楤eo⁣ommun楣慴ion猠潶s爠
楮瑲慮整猬s數瑲慮整猬s慮d⁴h攠䥮瑥牮e琮

奯u爠
p污l⁴o 敮慢汥⁖o䥐⁴r慦晩挠瑨牯ugh⁆o牥晲on琠
呍G

睩汬

d数敮e on⁴h攠depl
oym敮e映foIP⁩渠
you爠o牧慮楺慴aonⰠ慮,⁴he 牥污瑩rn獨sp猠s整w敥n
瑨攠䥐⁐物v慴攠䉲慮捨c

捨慮g攠⡐B堩⁡湤 瑨攠
pub汩挠獷楴sh敤e瑥汥lhon攠n整wo牫r
(P協S⤬r
䥮瑥牮整
瑥汥lhony⁳敲ei捥cp牯v楤敲
⡉呓P⤮

P牥灡物rg⁴o
敮慢汥⁖lIP
瑨牯ugh⁆ r敦牯nt
呍G

Identify and
M
ap
Y
our
P
rotection
D
esign
G
oals

Table 4 will help you identify the protection goals for your deployment of Forefront TMG.

Table 4
.

Identify and
Map Your Protection Design Goals


Task

Description

Reference



Plan to p
rotect your network
against operating system
and application
vulnerabilities.

Create a plan to protect against these attacks.

Forefront TMG protects your network against
exploits of known vulnerabilities in
operating
systems and applications with the Network
Inspection System (NIS), the signature
-
based
part of the Forefront TMG Intrusion Prevention
System.

This
task

is designed to help you plan
how to use Forefront TMG to protect your
network against operatin
g system and
application vulnerabilities.

Planning to
protect against
known
vulnerabilities



Plan to p
rotect your network
against attacks that
using
sophisticated attack
detection features, such as
Create a plan to protect against these attacks.

Using behavior
-
based intrusion detection
techniques, Forefront TMG can protect your
Planning to
protect against
network attacks

8

intrusion detection, flood
mitigation, and spoof
detection.

network against

attacks that use sophisticated
attack detection features, such as, intrusion
detection, flood mitigation, and spoof
detection.



P污l⁴o
p
ro瑥c琠you爠
o牧慮楺慴楯n⁦ om m慬睡牥
慮d瑨敲⁗敢
-
b慳敤e
瑨牥慴献

周楳⁴慳T⁷楬氠l獳楳琠楮 捲敡瑩ng⁡ p牯t散eion⁰污n
景爠r敢
-
b慳敤⁡瑴慣歳k

周T⁦ 汬o睩湧⁴op楣猠慲攠
d敳楧n敤⁴漠e敬e you⁰污n ho眠瑯⁵ 攠Fo牥晲on琠
呍䜠瑯⁰牯t散e
you爠o牧慮楺慴楯n⁦ om
m慬
睡w攠慮d o瑨敲⁗敢
-
b慳敤⁴桲敡瑳t



Planning to protect against malicious Web
content



Planning for URL filtering



Planning for HTTP filtering



Planning for HTTPS inspection


Planning to
protect against
Web browsing
threats



P污l⁴o⁰
ro瑥c琠you爠r整wo牫r
慧慩a獴se
-
m慩a⁳灡m⁡湤
v楲i獥献

䍲敡瑥⁡

p污l
fo爠畳rng
䙯r敦牯nt⁔M䜠Go
p牯瑥c琠you爠r整wo牫⁡条 n獴s獰sm⁡湤⁶楲is敳e
瑨慴⁥nt敲eyou爠o牧慮楺慴aon⁶楡i
e
m慩a⸠
䙯牥晲on琠TM䜠楮獰散esa楬⁴牡晦楣ion⁲ou瑥 瑯
卩mp汥lM慩a⁔牡r獦敲eP牯瑯捯氠⡓MTP⤠s敲e敲猠
b敦e牥⁴h攠m慩a⁲敡捨e猠畳敲em慩abox敳e

P污ln楮g⁴o
p牯瑥c琠慧慩a獴⁥
-
m慩a⁴hr敡es



䍲敡瑥⁡ p污l⁴o
敥p
p牯瑥c瑩tn⁤敦楮楴楯ns
捯n獴慮瑬y⁵ d慴ad.

䍲敡瑥⁡ p污l⁦o爠r敥p楮g⁹ou爠䙯r敦牯n琠TM䜠
d敦楮楴楯n猠異d慴ad.

Som攠䙯牥晲on琠TM䜠
p牯瑥ct
楯n m散桡e楳i猠畳攠M楣牯so晴⁰牯du捴
upd慴a猠so敥p⁰ o瑥捴楯n⁤敦楮楴楯n猠
捯n獴慮瑬y⁵ d慴ad⸠周敳T 楮捬cd攺



Email antivirus and anti
-
spam protection.
For information, see
Planning
to protect
against e
-
mail threats
.



Malware inspection.

For information, see
Planning to protect against malicious Web
content
.



NIS.
For information, see
Planning to
protect against known vulnerabilities
.


Planning for
updates of
protection
definition




9

Identify a
nd
M
ap
Y
our
Administration
G
oals

Use the checklist in Table 5 to plan the administration
goals
of your Forefront TMG deployment.

After
completing the tasks in Table 5 you’ll be able to move on to
preinstallation tasks
.

Table
5
.

Identify and
M
ap
your
Administration G
oals


Task

Description

Reference



Plan for
monitoring and
alerting.

Forefront TMG provides several monitoring and logging
options.

Consider
the monitoring and alerting needs of your
o
rganization as they relate to

Forefront TMG.

Planning for
monitoring and
logging



Plan for
disaster
recovery.

Forefront TMG includes a backup and restore feature that
enables you to export its configuration to an .xml file, and
then import that configuration back to the Forefront TMG.

Planning for
backup and
restore



Plan for
reporting.

Forefront TMG provides flexible, customizable reports that
can help yo
u analyze and summarize log information, as
well as create a permanent record of common usage
patterns.

Planning for
reporting

Perform
Preinstallation Tasks


Figure 3
.

Perform preinstallation tasks

This step walks you through the preinstallation tasks related to a Forefront TMG deployment, as
depicted in Figure 3. Prior to beginning the installation of
Forefront TMG
, you need to perform several
tasks, including verifica
tion of
requirements and configuration
and some
additional planning.

Before starting this step,
you should have a design plan for your Forefront TMG deployment.

After completing
the tasks in Table 6, you will
be able to run the Preparation Tool.



10

Table 6
.

Perform
Preinstallation Tasks


Task

Description

Reference



Verify
r
equirements
.

Verify that the computer on which you want to
install Forefront TMG complies with the system
hardware and software requirements.

System
requirements
for Forefront
TMG



Run Windows Update
.

Run Windows Update. If updates are applied,
reboot the computer before installing Forefront
TMG.

Preparing for
Installation



Choose

installation mode
.

Decide whether to run the Forefront TMG
installation in interactive or unattended mode.



Interactive mode
.
Recommended
for
install
ation of
a single Forefront TMG server, or
a small number of Forefront TMG servers. For
instructions, see
Installing Forefront TMG
services in interactive mode
.



Unattended mode
.

Recommended for
deployments of multiple Forefront TMG
servers. For instructions, see
Installing
Forefront TMG services in unattended mode
.

Planning to
install Forefront
TMG



Select the required
installation option,
depending on your
environment.

Select from the following three options:



Install a single Forefront TMG server on the
computer, including all Forefront TMG services
and the Forefront TMG Management console,
for local management. For instructions, see
Insta
lling Forefront TMG
.



Install only the Forefront TMG Management
console
(
for the remote management of
Forefront TMG servers that are installed on
other computers
)
. For instructions, see
Installing the Management console for remote
management
.



Install an Enterprise Management Server (EMS)
,

which
will enable
you to centrally manage
multiple Forefront TMG arrays. For instructions,
see
Installing an Enterprise Management Server
(EMS) for centralized management
.

Planning to
install Forefront
TMG



Verify network adapter
Verify the configuration of network adapters.
All
Planning
11


Task

Description

Reference

configuration
.

network adapters must be properly installed and
configured with the appropriate IP addresses
before you install and configure Forefront TMG.


Forefront TMG
network
topology



P污l⁤ m慩a me
牥獯汵瑩on
.

P污l⁤ m慩a me⁲ so汵瑩on⸠
䉥Bo牥⁹ou⁳ 慲琠瑨t
楮獴慬污瑩snⰠyou mu獴sp污l ho眠瑯 捯n晩fu牥
dom慩a me⁲ so汵瑩on⁩ ⁆ 牥晲on琠呍䜮


P污ln楮g⁦ 爠
dom慩a me
牥獯汵瑩on

Prepare
for Installation


Figure 4
.

Prepare for installation

Before installing Forefront TMG, you must run
its included
Preparation Tool to verify that the
applications required for the successful installation of Forefront TMG are installed on your computer.
Your
installation of Forefront TMG will fail if the computer does not include the required applications
;
running the
Preparation Tool helps you avoid losing time and resources on an unsuccessful installation
.

After completing this
step (shown in Table 7),
you will be ready to install Forefront TMG.

Table
7
.

Prepar
e

for Installation


Task

Description

Reference



Run
Preparation Tool

Examine the prerequisites related to
Forefront TMG deployment.
Several
software prerequisites exist for Forefront
depending on the installation type chosen.


Preparin
g for
Installation


Planning to Install
Forefront TMG



Choose installation type

On the Installation Type page

of the setup
process
, select the required installation type
option:



Forefront TMG services and
Management.



Forefront TMG Management only

Installation design
guide for Forefront
TMG

12



EMS for centralized array management
.




L慵n捨⁴桥⁩湳瑡汬t瑩on
睩w慲a.

周攠P牥灡牡瑩on⁔oo氠摯睮汯慤猠慮s⁩湳瑡汬s
瑨攠灲敲敱t楳i瑥⁡灰汩捡瑩on猬⁡捣o牤楮g⁴o
瑨攠t敬散e敤⁆er敦牯n琠TM䜠楮獴慬污瑩on
瑹p攮

On the Preparation Tool’s
Preparation
Complete

page, select
Launch Forefront
TMG Installation Wizard

and then clic
k
Finish
.

Planning to Install
Forefront TMG

Install in Interactive Mode


Figure 5
.

Install

Forefront TMG

in interactive mode

With the completion of the previous checklists, you're
now ready to install Forefront TMG.

Table 8
describes the
tasks
necessary to install Forefront TMG in interactive mode.

This process is
illustrated in Figure 5.

In interactive mode, you monitor the installation process,
and then

enter the
required setup in
formation when

prompted by the setup process.

Prior to completing this
step,
you should have
completed
a Forefront design for your network
infrastructure.

Additionally,
you should have run the
Forefront
Preparation Tool. Finally,
you need to be
a member of

the Administrators


group in order to run Forefront TMG installation in interactive mode.

After completing this
step,
you will have Forefront TMG installed and will be able to install applicable
service packs
and expand the deployment to provide Enterpris
e Management.

Table 8
.

Install Forefront TMG in
Interactive Mode


Task

Description

Reference



Insert
or
a
ccess
installation
media.

Insert the Forefront TMG DVD into the DVD
drive, or run
A
utorun.hta

from a shared
network drive.

Installing Forefront
TMG services in
interactive mode



Run
i
nstallation
w
izard
.

On the main setup page, click
Run
Installation wizard

to launch the Forefront

13


Task

Description

Reference

TMG Installation Wizard.



卥汥捴S
Forefront TMG
services and
Management
.

On the
Installation Type

page, click the
Forefront TMG services and Management

button.




卥汥捴S
p
a瑨
.

佮⁴桥O
Installation Path

page, specify the
Forefront TMG installation path.




D敦楮攠
楮瑥牮慬a
ne瑷o牫r

佮⁴桥O
Define Internal Network

page, click
Add
, click
Add Adapter,

and then

select the
adapter
that

is connected to the main
corporate network.

Adding IP
addresses to
the internal network



䥮獴慬s

䙯牥晲ont⁔MG
.

佮⁴桥O
Ready to Install the Program

page,
click
Install
.

Installing Forefront
TMG services in
interactive mode

Install an
Enterprise Management Server for
C
entralized
M
anagement


Figure 6
.

Install an EMS for Centralized Management

The Forefront TMG EMS enables you to centrally manage Forefront TMG arrays. You can create and
update enterprise policies, and create policy rules

which you can then assign to the arrays in the
enterprise.

The
EMS

is a key element in
the move
toward a
Dynamic

IT environment.

Table 9
describes the
tasks
necessary to install EMS in a Forefront implementation.

This process is
illustrated in Figure 6.

Prior to completing this
step,
you should have Forefront TMG fully installed.

After
completing this
step,
you'll be able to install Service Pack 1 for Forefront TMG and then move
on to the
configuration of Forefront in your environment.



14

Table
9
.

Install an
EMS
for Centralized Management


Task

Description

Reference



Insert or
access
installation
media.

Insert the Forefront TMG DVD into the DVD drive, or
run
Autorun.hta

from a shared network drive.

Installing an Enterprise
Management Server
(EMS) for centralized
management



Run Windows
Update
.

On the main setup page, click
Run Windows
Update
. Windows Update might require one or
more computer restarts. If the computer restarts,
you must relaunch the setup, as described in step 1.




Run Preparation
Tool
.

On the main setup page, click
Run Preparation Tool
.

Pr
eparing for
installation



Run Forefront
Installation
Wizard
.

On the main setup page, click
Run Installation
W
izard

to launch the Forefront TMG Installation
Wizard.




Select
EMS

option
.

On the
Setup Scenarios

page, click
Enterprise
Management Server for

centralized array
management
.




Specify
p
ath
.

On the
Installation Path

page, specify the Forefront
TMG installation path.




Select options
.

On the Enterprise Management Server
Configuration page




Click
Create a new enterprise configuration on
this EMS

to create new enterprise policies and
policy rules for this installation of EMS.

Or:



Click
Copy an existing enterprise configuration
to this EMS

to duplicate the enterprise
configuration of an existing EMS to this
computer. The configuration copied includ
es
enterprise policies and settings of the arrays of
the enterprise.





Enter
name or
locate
configuration.

Depending on
you chose
in the previous step, enter
either
the name for the new Enterprise or
the
location
of
a configuration storage server.

Installing an Enterprise
Management Server
(EMS) for centralized
management



Copy or
r
eplicate
.

On the Forefront TMG Configuration Replicate
Source page:


15


Task

Description

Reference



Click
Replicate over the netw
ork

to copy
settings over the network.



Click
Copy from the restored backup files

to
copy settings from a backup folder.




卥汥捴S瑨攠
memb敲獨ep
瑹pe
.

佮⁴桥O
Enterprise Deployment Environment

page,
select the membership type of your Forefront TMG
Enterprise deployment.



Click
Single domain deployment

if the
enterprise computers are in the same domain.



Click
Workgroup deployment

if the enterprise
computers reside in a workgroup. You must
install

a server certificate.

For more details on
installing server
certificates, see
Creating
certificates

Install Forefront TMG Service Pack 1


Figure 7
.

Install Forefront TMG Service Pack 1

Service Pack 1 is available for Forefront TMG and should be installed as part of the initial deployment.

This section describes the steps necessary to install Forefront TMG Service Pack 1.

Table 10
walks you through in
stalling Service Pack 1, as shown in Figure 7.

Prior to completing this step
of your deployment
,

you should have
installed
Forefront TMG installed and
its
Enterprise Management
option.

After completing this step you'll be able to begin specific configurati
on of Forefront TMG within
your environment.

Table 1
0
.

Install
Forefront TMG S
ervice
P
ack
1


Task

Description

Reference



Acquire the
service pack.

You can acquire Forefront TMG SP1 from two sources:



The Microsoft Download Center



Microsoft Update


Acquiring the
Service Pack

16


Task

Description

Reference



啮d敲獴慮d
獥牶楣攠p慣欠
楮獴慬污瑩sn.

䕮獵牥r瑨慴⁹ou⁵ d敲獴慮d⁴h攠牡m楦i捡瑩on猠o映
upd慴楮g⁳ 慮d慬an攠s敲e敲猠慮s⁴hos攠p慲瑩捩aa瑩tg⁩渠愠
m楸敤⁥nv楲onm敮琮

䉥景r攠you⁩湳瑡汬
䙯牥晲on琠TM䜠
SP1



䉡捫Bup⁴h攠
敮瑥牰物獥
捯n晩fu牡瑩rn
.

䉥景r攠楮獴慬汩ngⰠyou
獨潵sd
b慣欠up⁴he⁥nt敲灲楳攠
捯n晩fu牡瑩rn⁡湤⁳慶攠瑨攠捯n晩fu牡瑩rn⁩渠愠 散畲攠
汯捡瑩on.

䉡捫楮g⁵ ⁡湤
牥獴o物
ng⁴h攠
敮瑥牰物獥
捯n晩fu牡瑩rn



䉡捫Bup⁴h攠
䙯牥晲on琠TM䜠
䍯n晩fu牡瑩rn
.

䉥景r攠楮獴慬汩ngⰠyou
獨潵sd
b慣欠up⁴he⁆ r敦牯nt⁔M䜠
捯n晩fu牡瑩rnn 敡捨⁡牲ey memb敲Ⱐ慮d 獡s攠瑨t
捯n晩fu牡瑩rn⁩渠愠 散畲攠eo捡瑩cn.

䉡捫楮g⁵ ⁡湤
牥獴o物rg⁴h攠
䙯牥晲on琠TM䜠
捯n晩fu牡瑩rn



啰g牡r攠
䙯牥晲on琠TMG
.

䥮獴慬氠卥牶i捥cP慣欠1⁡捣ord楮g⁴o⁹ou爠敮e楲onm敮琬e
敩瑨敲e睩瑨楮⁡ 獩sg汥⁳ rve爠摥r汯ym敮琠o爠
楮⁡渠
敮瑥牰物獥⁡牲慹

䉥B獵s攠瑯 t攠瑨攠o牤敲eo映楮獴慬污瑩on⁩渠敮 敲灲楳攠
敮e楲潮m敮瑳t


啰g牡r楮g⁡ 獩sg汥l
獥牶敲ed数eoym敮e


啰g牡r楮g⁡渠慲牡y
o爠rnt敲灲楳i
d数eoym敮e


佲O敲eo映
楮獴慬污瑩sn


䥮獴慬汩ng⁆ 牥晲on琠
呍䜠GP1⁩渠慮
敮瑥牰物獥
d数eoym敮e



噥物Vy
s敲ei捥c
獴慴u献

䙯牥晲on琠TM䜠獥sv楣敳
might

no琠s瑡牴t慦瑥a⁹ou⁩湳 慬a
o爠牥mov攠Fo牥晲on琠TMG 卐S⸠周楳⁰牯b汥m may o捣u爠
楦⁴桥⁣ompu瑥爠瑨慴⁩t⁲畮n楮g⁴h攠獥sv楣敳⁩猠no琠
獹n捨con楺敤e睩瑨⁴h攠EMS⸠䥮⁴h楳⁣慳攬eu獥⁴h攠
Monitoring

node of the Forefront TMG Management
console to manually restar
t the services.




䉡捫Bup⁴h攠
捯n晩fu牡瑩rn
慦瑥爠楮獴慬污瑩tn
.

䉥B獵s攠瑯
b慣欠up 瑨攠tP1 捯n晩fu牡瑩rn⁡晴 r
捯mp汥瑩湧⁴h攠upg牡r攮




M楧牡瑥
汯g
d慴慢a獥猠
⡩(
n散e獳慲y)
.

䥦⁹ou 慲攠aogg楮g⁴o⁡ r敭o瑥⁓兌⁤慴慢慳攬⁹ou⁡牥
牥煵楲敤⁴o m楧牡瑥r瑨攠tog⁤慴慢慳攠瑯⁴h攠n敷
schema. For instructions, see “Upgrading a remote SQL
database for Forefront TMG SP1” on the
T散桎整⁗楫i
.


17

Configure
Deployment Settings


Figure 8
.

Configuring initial deployment settings for Forefront TMG

At this point,
Forefront TMG has been installed and is ready for
configuration.

The
Forefront TMG
Getting Started Wizard
will help you
configure or modify initial deployment settings. The wizard is
comprised of the following three
parts
:



Network
settings
.

Use

this
section
to configure network adapters on the server. Net
work adapters
are associated with a unique Forefront TMG network.



System
settings
.
Use
this
section
to configure operating system settings, such as computer name
information and domain or workgroup settings.



Deployment
options
.
Use
this
section
to configur
e malware protection for Web traffic, and to join
the customer feedback program and telemetry service.

Before you run the Getting Started Wizard, you should:



Understand how Forefront TMG uses network objects to represent your infrastructure. For
informatio
n, see
Planning Forefront TMG network topology
.



Understand
both
the benefits and
disadvantages
of making Forefront TMG a domain member. For
information, see
Workgroup and domain considerations
.



Collect the following information about network adapter settings:

o

Settings for the network adapter connected to your local access network, such as IP address,
subnet mask,
and DNS server address.

o

Settings for the network adapter connected to the Internet. If your ISP provides a static
address, record the IP address, subnet mask, and DNS server address.

o

Settings for any additional network adapters on the computer
(
such as a t
hird network
adapter connected to a perimeter network
)
.



Make sure you know the server name and Fully Qualified Domain Name (FQDN) if the computer
belongs to a domain.

18

After you complete this step
, illustrated in Figure 8,

you

will
be able to configure netw
orks and routing,
an array of Forefront TMG servers,
and
client computers
,
as well as
alerting, monitoring, and reporting
.

Configure N
etwork

S
ettings

Use
Table 11 to configure network settings in Forefront TMG.

Table 1
1
.

Configure Network Settings


Task

De
scription

Reference



Configure
network
settings.

In the
Getting Started Wizard
, click
Configure network
settings
.

Configure initial
deployment
settings



Select topology
.

On the
Network Template Selection

page of the Network
Setup wizard, select the option that most closely matches
your Forefront TMG network topology.

Planning
Forefront TMG
network
topology



Enter IP address
.

On the
Local Area Network (LAN) Settings

page of the
wizard, in
Network adapter connected to the LAN
, click the
adapter connected to the main corporate network and
enter an IP address.

Configure
network settings



Configure
Internet settings
.

On the
Internet Settings
page of the wizard, click the
adapter connected to the Internet. You should set a default
gateway on only one of the Forefront TMG network
adapters. T
his is usually the network adapter associated
with the Internet. Configure only a single default gateway on
a network adapter.

Configure
network settings



If necessary,
configure
pe
rimeter
network
settings
.

If you have a third network adapter, on the
Perimeter
Network Settings

page of the wizard, click the network
adapter connected to the perimeter network.

Conf
igure
network settings

Configur
e

Server and
System Settings

Use Table 12 to configure server and systems settings.

Table 1
2
.

Configur
e

System Settings as
P
art of a Forefront
D
eployment


Task

Description

Reference



Configure system
settings
.

In the
Getting Started Wizard
, click
Configure
system settings
.

Configuring Server
and System settings

19


Task

Description

Reference



䕮瑥爠Eo牥晲on琠TMG
獥牶敲
.

佮⁴桥O
Host Identification

page of the System
configurat
ion wizard, in the
Computer name

box,
enter the name of the Forefront TMG server.




卥汥捴Sdom慩a爠
睯牫rroup
捯n晩fu牡瑩rn
.


Member of
, define whether the server is a
member of a Windows domain or workgroup.

Workgroup and
Domain
Considerations


Configuring Server
and System settings

Configur
e

Deployment Settings

Use
Table 13
to configure
deployment settings.

Table 1
3
.

Configur
e

Additional Deployment Settings


Task

Description

Reference



Define
deployment
options
.

In the
Getting Started Wizard
, click
Define deployment
options
.

Configuring
deployment settings



Check for
updates
.

On the
Microsoft Update Setup

page of the
Deployment wizard, click
Use the Microsoft Update
service to check for updates (recommend
ed)

to specify
that the Microsoft Update service should be used to
obtain malware definition updates.

Configuring
deployment settings



Configure
protection
features.

Choose specific

settings for
NIS
, Web Protection,
Malware Inspection, and URL Filtering on the
Forefront
TMG Protection Features Settings

page of the wizard.

Configuring
deployment settings



Select
network
inspection
update settings.

On the
NIS Signature Update Settings

page of the
wizard, for
Select automatic update action
, select the
type of action to deploy when there are new or updated
signature sets.




Select
response
policy.

For
New Si
gnature Set Configuration
, select the
response policy option for new signatures.




Select
customer
feedback
settings.

On the
Customer Feedback

page of the wizard, select
whether you want to participate in the Customer
Experience Improvement Program.

Microsoft Customer
Experience
Improvement
Program

20


Task

Description

Reference



卥汥捴S
r
数er瑩tg
.

佮⁴桥OM楣ioso晴fT敬eme瑲y⁒ po牴楮g⁓敲v楣攠p慧攬edo
on攠o映fh攠fo汬o睩湧:



Click the
Basic

button to send basic information
regarding filtered URLs, URL category overrides,
potential threats and the response

taken to
Microsoft.



Click the
Advanced

button to provide information
about potential threats including traffic samples and
full URL string
s to Microsoft.



Click the
None

button to
decline participating
in the
service.


Configur
e

N
etworks and
R
outing


Figure 9
.

Configure Networks and Routing

Forefront TMG networks represent your corporate network topology. Generally, a network is defined
for

each network adapter installed and enabled on the computer. Networks that do not require
associated network adapters are the Local Host network
(
which represents Forefront TMG
)

and virtual
private networks.

When deployed at the edge of your network, Forefront TMG should be configured with at least two
network adapters: one connected to the Forefront TMG Internal network that represents the main
corporate network, and the other to the Forefront TMG External ne
twork that usually represents the
Internet. The
e
xternal network is defined dynamically, based on the IP address ranges of other
networks. You can configure the IP address range and other properties of the Internal network. If three
or more adapters are av
ailable, you can also configure the properties of one or more perimeter
networks. You can configure a dial
-
up connection on one network only (for example, to dial up for
Internet access).



21

The following checklists assist in defining networks and routing f
o
r your Forefront TMG deployment,
including the following tasks:



Defining network rules
.
Network rules determine the relationship between two Forefront TMG
networks.



Defining network adapters
.
Network adapters correspond to the different portions of your
network
topology.



Enabling ISP redundancy
.

Tables 14 through 16 list
network
-
related configuration
tasks
within Forefront TMG.

This process is
depicted in Figure 9.
Prior to completing these
tasks,
you should have Forefront installed and the initial
deploy
ment settings of Forefront configured.

After
completion, you will
be able to
define
roles and
permissions and configur
e

a Forefront TMG array.

Defin
e

Network Rules

Use Table 14 to define the network rules for Forefront TMG.

Table 1
4
.

Define Network Rules


Task

Description

Reference



Create
network
rule.

On the
Network Rules

tab, on the
Tasks

tab, click
Create a
network rule
.

Defining
Network Rules



Complete the
Network Rule
Wizard
.

Do the following on the specified pages:



On the
Network Traffic Sources
page,

specify the source
network.



On the
Network Traffic Destinations

page, specify the
destination network.



On the
Network Relationship

page, select either Network
Address Translatio
n (NAT) or Route.



On the
NAT Address Selection

page, select the option
used by Forefront TMG to determine the NAT address
used to hide computers in the traffic sources.

Defining
Netwo
rk Rules

Defin
e

Network Adapters

Use Table 15 to define internal, perimeter, and external network adapters.

Table 1
5
.

Define Network Adapters


Task

Description

Reference



Run Create
Network
Wizard

When creating or editing a network on your Forefront TMG server,
for the following network types, you can
use the Create Network
Wizard to
specify an IP address range or select a network adapter
Defining
Network
Adapters

22

associated with the network you are configuring:



Internal net
work



Perimeter network



External network

Enabl
e

ISP Redundancy

Table 16

describes how to enable ISP redundancy, which allows you to link two external network

adapters to two different ISPs.

There are two ISP redundancy modes:



High availability mode.

This mode d
esignates a primary link over which all outbound Internet traffic
will flow, and
identifies
a backup link that activates automatically if the first link

fails.



Load
-
balancing mode.

This mode d
irects outbound Internet traffic between two ISP links
concurrently, and sets the percentage of total Internet traffic per link. It also supports failover if one
of the links fails.

Table 1
6
.

Run the ISP Redundancy Wizard


Task

Description

Reference



Run the
Redundancy
Wizard.

In the Forefront TMG Management console tree, click the
Networking

node.

In the details pane, click the
ISP Redundancy

tab.

Enabling ISP
Redundancy


Configuring
networks and
routing



Enable ISP
Redundancy

On the Tasks tab, click
Enable ISP Redundancy, and then
follow the instructions in the wizard. Note the following:



Each network must have a Network Address Translation
(NAT) relationship with the external network.




Static NAT rules take precedence over ISP redundancy
configuratio
n settings. This means that static NAT traffic
directed to a specific ISP link is not rerouted if the link is
down.




When configuring load balancing, you can designate that
traffic sent to a range of IP addresses is routed to a
specific ISP link. To do thi
s, click
Explicit Route
Destinations,

and then click
Add Range.

You can add
multiple ranges.




After completing the wizard and clicking
Apply

on the
Apply Changes

bar, any existing connections will continue
Enabling ISP
Redundancy


23

over their current Internet link. The newly applie
d policy
is relevant for new connections only.

Configur
e

Client Computers


Figure 10
.

Configure client computers

Forefront TMG protects three types of
clients in internal corporate networks; clients running Forefront
TMG Client software, Web proxy clients, and SecureNAT clients.

Table 17
describes deployment of the
Forefront TMG client.

For information on each of the other client types, see
Configuring Web proxy
clients

and
Configuring SecureNAT clients
.

Additionally, you can also configure automatic detection o
f
Web proxy settings as well.

You can find m
ore information about automatic detection in
Configuring
Automatic Detection
.

Prior to completing this
step,
you should have Forefront TMG
fully deployed at the server level.

After
completion, you will
have client computers configured for use with Forefront TMG.

Table 1
7
.

Configure Client Computers


Task

Description

Reference



Install the
Forefront TMG
Client
software
.

D
istribute and
install the Forefront TMG Client software on
client computers residing in networks that are protected by
Forefront TMG.

Installing Forefront
TMG Client
software



Deploy Web
browser
settings
.

C
onfigure Forefront TMG to deploy Web browser settings
to computers that are running the Forefront TMG Client.

Deploying Web
browser settings to
Forefront TMG
Clients



Configure
application
settings
.

You can define application settings
that
apply to all
computers on which the Forefront TMG Cli
ent is installed in
Forefront
-
protected
networks. Application settings consist
of {key, value} pairs that specify how the Forefront TMG
Client software behaves with the specific application.

Configuring
application settings
for Forefront TMG
Clients



Enable client
requests
.

E
nable a network in Forefront TMG to receive Forefront
TMG Client requests.

Enabling a ne
twork
to receive Forefront
TMG Client
24


Task

Description

Reference

requests



䍯n晩fu牥r
牥獯汵瑩on
.

奯u⁣慮⁤敦楮攠慤d牥獳敳爠摯m慩a慭敳e
瑨慴t
敮慢l攠
瑨攠
䙯牥晲on琠TM䜠䍬C敮琠瑯 c慬ay⁲ solv攠a整睯r欠牥煵敳e
睩瑨wut⁳ nd楮g
楴i
瑯⁆o牥r牯n琠TM䜮

䍯n晩fu物rg⁳ 瑴楮g猠
景爠ro牥晲on琠TM䜠
䍬C敮琠eo⁲ 獯lve
汯捡氠c敱e敳es

Create
an Enterprise Array


Figure 11
.

Create an enterprise array

Creation of an enterprise array of Forefront

servers is a
nother

key step
in the move
toward

a Dynamic IT
environment.

Forefront TMG arrays provide

three key benefits.



High availability

ensure
s

operational continuity of the Forefront TMG deployment, including during
the downtime of one or more of the

Forefront TMG servers in the deployment. Forefront TMG
configuration settings across all servers in the array are identical, thus providing uninterrupted
service during failover of one or more array members.



Scalability

helps

your organization
meet increa
sing performance demands. For example, with a
growing number of users, or users wishing to increase their Internet activities, additional network
bandwidth is required. When your organization’s needs grow, you can easily upgrade from a
deployment of a sing
le Forefront TMG to a Forefront TMG array, increase the number of members
in an existing array, or increase the numbers of arrays.



Distributed, persistent caching

k
eeps all servers updated with the latest array manager
configuration, thus enabling users to

designate a new array manager on demand. The information is
persistent, and is retained during the downtime of one or more of the Forefront TMG servers in the
deployment.

Table 18
describes the creation of a Forefront TMG enterprise array
, as depicted in
Figure 11
.

Prior to
completing this
step,
you should have a fully installed and configured Forefront TMG deployment,
including an
EMS
.




25

After you create an enterprise array, you can
add

members to the array and remove servers from it, as
described in the

following topics:



Joining a server to an enterprise array



Removing a server from an enterprise array

Table 1
8
.

Creat
e

an
Enterprise Array


Task

Description

Reference



Select
Create
New Array
.

On the EMS, in the Forefront TMG Management console,
click
Arrays
. In the task pane, on the
Tasks

tab, click
Create New Array
.

Configuring an array
of Forefront TMG
servers


Creating an enterprise
array



Enter
array
name.

In the
New
Array Wizard
, on the
Welcome to the New
Array Wizard

page, enter the name of the array.

Configuring an array
of Forefront TMG
servers




Enter DNS
name.

On the
Array DNS Name

page, e
nter the DNS of the
array.




Select
Enterprise
policy.

On the
Assign Enterprise Policy

page, in the
Select the
Enterprise

policy to apply to this new array

list, click the
enterprise policy to apply to the array.




Select
rule
types.

On
the

Array
Policy Rule Types

page, select the types of
rules that may be created for the array firewall policy.

Creating an enterprise
array

Monitor
, Alert,

and Report


Figure

1
2
.

Monitor, ale
rt, and report

Forefront TMG's
monitoring
features
enable you to view a real
-
time threat assessment

and

provide
alert
s

and powerful reporting.

This
section shows you how to
use
the monitoring

features

of Forefront
TMG.

26

Prior to completing this step
,

you should have
Forefront TMG installed and configured in your
environment.

Table 19

will guide you through
monitoring

capabilities in Forefront TMG.

For specific
information on configuring alerts and creating reports, please read the following:



Configuring alert definitions



Configuring alert actions



Creating reports



Viewing reports

After you complete
this step,
you will have monitoring deployed in Forefront TMG.

This process is
illustrated in Figure 12.

Table 19. Monito
r, Alert, Report


Task

Description

Reference



Monitor
connectivity
to network servers.

Create connectivity verifiers to check the availability
of specific network servers.

Monitoring server
connectivity



Track
client activity.

Track activity by monitoring current sessions for
Forefront TMG Clients, Web proxy clients, and
SecureNAT clients.

Monitoring
client
sessions
.



Monitor
alerts and
status.

Check the current state of the system by monitoring
alerts that have been issued, as well as the status of
services.

Monitoring alerts



Create
key
performance
indicators (KPIs).

Track HTTP
c
ompression by adding information to
the log viewer;
additionally,

monitor network status
with performance counters.

Monitoring
Performance

Conclusion

Network protection in
a
Dynamic IT environment
is
centralized and automated
, and

the security tools
used for
its
network protection are integrated and provide automated threat assessment.

This
document
described the process that can

help move
organizations
toward

a Dynamic IT environment
using Forefront Threat Management Gateway.

For more information
, see the following
resources
:



Forefront TMG Home Page:

http://www.microsoft.com/forefront/threat
-
management
-
gateway/en/us/default.aspx




Forefront TMG Planning and Design:

http://technet.microsoft.com/en
-
us/library/cc441674.aspx




Forefront TMG Deployment:

http://technet.microsoft.com/en
-
us/library/cc441445.aspx