Forefront TMG with EBS 2008 overview

The second server installed during the EBS 2008 installation process is the security server. This server is the gateway between the internal LAN and the internet. The server requires two network cards and a minimum of 2GB of RAM and 40GB of disk space.

Forefront Threat Management Gateway (TMG) is the product formerly known as ISA. TMG is included as a component of EBS 2008 Server and installs on to the Security Server. TMG runs on a 64bit edition of Windows 2008 where ISA only supports 32bit environments. TMG is only available with EBS 2008 currently or as a beta version for other server versions. Small Business Server (SBS) 2003 included ISA 2004, however this option has been removed from SBS 2008.

EBS 2008 automatically installs Forefront TMG a part of the security server installation process. Anyone who is familiar with ISA 2004 or ISA 2006 will instantly recognise the console and be able to find the key areas without too much trouble. The installation automatically creates rules, configures web listeners and assigns the self-signed certificate generated during the installation. Network sets are correctly defined based on a couple of questions asked during the installation process.

I found that I only needed to make a couple of minor changes to the default configuration to allow my environment to function properly. The first was turning off strict RPC checking to allow the Data Protection Manager (DPM) agent to install and then allow traffic to and from the DPM server. Interesting that RPC compliance is not conformed to by DPM. The second change was creating a custom rule to allow TCP 3101 outbound for Blackberry (an additional server in this environment was running Blackberry), achieved by running a wizard that is almost identical to that in ISA 2006.

The first obvious change I noticed in TMG rules is the option to scan traffic for malware. End users see this when downloading files from the internet, a webpage appears showing the attachment scanning process before the user can save the file to disk. Other area’s of improvement include seperate tabs for Firewall rules and Web rules making it easy to manage both rule types. Many of the publishing aspects of TMG are improved e.g. Exchange 2007 support and Sharepoint publishing. VPN functionality is improved in many areas including support for a variety of third party IPSEC solutions, stateful packet inspection and VPN quarantine.

TMG as an incremental improvement to ISA 2006 with most of the improvements focused on the latest generation of Microsoft server products and a move to 64bit.

A full list of features can be found here: Microsoft Forefront TMG features