Forefront TMG

New Zealand SharePoint Conference

I will be presenting at the New Zealand SharePoint Conference for the first time on the 28th and 29th of March 2012. This is a great conference and a must attend event for anyone who works with SharePoint.

My presentation will cover publishing SharePoint with Forefront UAG and TMG. Hopefully a few people come along to learn and the presentation runs smoothly!

Some details of my presentation can be found here:

The official conference website is here:

See you in Auckland!


SharePoint 2010 and Forefront TMG

Ever wanted to published SharePoint 2010 externally and found it difficult to understand and even harder to find good documentation? I’ve worked on this particular issue several times in the past few months, so thought it was time to put fingers to keyboard and provide a few tips.

These notes cover publishing SharePoint 2010 with either ISA 2006 or Forefront TMG.

Before you begin:

Commonly your internal SharePoint farm will be accessed over HTTP whilst external access is via HTTPS.
In this example I will use the following configuration:

SharePoint URL: http://sharepoint.domain.local

MySites URL: http://mysites.domain.local

Wildcard digital certificate: *

Two external DNS records pointing to the same external IP address on the ISA server:

SharePoint Steps:
1. Extend the SharePoint and MySites web applications (in Central Admin)
2. Install your digital certificate (and root certificate) on the Web Front End Server
3. Using PowerShell add two Alternative Access Mappings (AAM’s):

4. In IIS edit the binding on the Extended web application – change from HTTP to HTTPS and select the certificate above. Once done remove the HTTP (listening on port 443) binding, this isn’t needed.
5. Make sure the new sites have started an IISReset may be required.

Forefront TMG or ISA Server Steps:
1. Create a web listener

  • Redirect HTTP to HTTPS
  • Use the same certificate installed on SharePoint above
  • Configure SSO = (this ensures only one login to TMG or ISA is required for all sites on that listener with matching domains)

2. Create two publishing rules, one for SharePoint and the other for MySites

  • Use the same web listener for both
  • Forward the original host headers
  • Bridge the connection using HTTPS (keep the protocols the same between the external URL and the internal URL)

In some instances you may need to create translation rules for HTTP to HTTPS. This can be done on the publishing rule.

Access rules can be used to block access to specific sub-URL’s.

EBS 2008 Firewall Configuration

Essential Business Server 2008 (EBS 2008) automatically installs and configures most of the components required to provide remote access. Details can be found in my EBS 2008 Remote Access article.

Forefront TMG is automatically configured during installation to allow the ports listed below to access services in the EBS 2008 environment. If you have an external router or firewall you will need to forward the following ports from that device to the WAN Adapter of the EBS 2008 Security Server:

  • Port 25 TCP – SMTP
  • Port 80 TCP – HTTP (EBS 2008 redirects inbound HTTP to HTTPS)
  • Port 443 TCP – HTTPS (RWW, OWA and TS Gateway)
  • Port 987 TCP – External secure Windows SharePoint Services intranet access
  • Port 1723 TCP – PPTP (VPN) – optional as RRAS is not configured by default

Note that RDP access to server consoles is done via Terminal Services Gateway (over port 443) so do not allow inbound connections on port 3389 as it is a security risk.

Forefront TMG with EBS 2008 overview

The second server installed during the EBS 2008 installation process is the security server. This server is the gateway between the internal LAN and the internet. The server requires two network cards and a minimum of 2GB of RAM and 40GB of disk space.

Forefront Threat Management Gateway (TMG) is the product formerly known as ISA. TMG is included as a component of EBS 2008 Server and installs on to the Security Server. TMG runs on a 64bit edition of Windows 2008 where ISA only supports 32bit environments. TMG is only available with EBS 2008 currently or as a beta version for other server versions. Small Business Server (SBS) 2003 included ISA 2004, however this option has been removed from SBS 2008.

EBS 2008 automatically installs Forefront TMG a part of the security server installation process. Anyone who is familiar with ISA 2004 or ISA 2006 will instantly recognise the console and be able to find the key areas without too much trouble. The installation automatically creates rules, configures web listeners and assigns the self-signed certificate generated during the installation. Network sets are correctly defined based on a couple of questions asked during the installation process.

I found that I only needed to make a couple of minor changes to the default configuration to allow my environment to function properly. The first was turning off strict RPC checking to allow the Data Protection Manager (DPM) agent to install and then allow traffic to and from the DPM server. Interesting that RPC compliance is not conformed to by DPM. The second change was creating a custom rule to allow TCP 3101 outbound for Blackberry (an additional server in this environment was running Blackberry), achieved by running a wizard that is almost identical to that in ISA 2006.

The first obvious change I noticed in TMG rules is the option to scan traffic for malware. End users see this when downloading files from the internet, a webpage appears showing the attachment scanning process before the user can save the file to disk. Other area’s of improvement include seperate tabs for Firewall rules and Web rules making it easy to manage both rule types. Many of the publishing aspects of TMG are improved e.g. Exchange 2007 support and Sharepoint publishing. VPN functionality is improved in many areas including support for a variety of third party IPSEC solutions, stateful packet inspection and VPN quarantine.

TMG as an incremental improvement to ISA 2006 with most of the improvements focused on the latest generation of Microsoft server products and a move to 64bit.

A full list of features can be found here: Microsoft Forefront TMG features

Essential Business Server 2008 overview

In November 2008 Microsoft released a new server software bundle aimed at businesses with up to 300 users. I recently deployed my first Essential Business Server 2008 (EBS 2008) and was instantly impressed. EBS 2008 mixes proven technologies like Windows 2008 Server and Exchange 2007 with new technologies Forefront and management tools like System Centre Essentials. The combination of products works well together and has the potential to save a lot of time both during the initial install and over the lifetime of the system.

What is EBS 2008?

EBS 2008 deploys onto 3 servers. It is supported on both Physical and Virtual environments. The Premium edition adds a forth Windows 2008 standard server (with 1 free Virtual License included) and SQL 2008 Standard Edition.

Following the installation you get environment with these roles / features:

  • 2 Domain Controllers (Management and Messaging servers)
  • System Centre Essentials 2007
  • Exchange 2007
  • Forefront for Exchange
  • Forefront TMG (next generation ISA)
  • Remote Web Workplace
  • Terminal Services Gateway
  • Windows 2008 standard edition (premium edition)
  • SQL 2008 (premium edition)
  • WSS 3.0 (free download)

The 3 standard servers require 64bit hardware. The premium server can be either 32bit or 64bit.


A preparation tool is provided to examine an existing environment or help you design a new one. Once this is complete it is simply a matter of putting the first DVD into your server (make sure the hardware meets the system requirements) and following the prompts until the 3 servers that make up the EBS 2008 environment are installed. The standardised installation removes many common configuration issues and helps build a core network that will perform well and work with very little tweaking.

Some of the more difficult parts of a typical network installation where positively simple with EBS 2008. Exchange 2007 installed perfectly with only a few simple questions, Forefront TMG (the replacement for ISA 2006) also installed perfectly and Remote Web Workplace’s TS Gateway options just worked.


Once EBS 2008 is installed, System Centre Essentials agents can be deployed to other Windows based servers and PC’s in the domain giving enterprise style management of your network from a single point. Common tasks like installing Windows updates, ensuring antivirus software is install and up to date, deploying software and producing an inventory of hardware and software can be done with minimal effort.

The EBS Management Console supports third party plug-ins and provides a nice management dash board SysAdmins will love.

Managing licenses is simplified too. Microsoft sell two different EBS Client Access Licenses (CAL). The standard CAL includes Windows 2008 CAL and Exchange 2007 CAL. The premium CAL adds a SQL CAL. It is simple to assign either standard or premium licenses to specific users and report on usage. The CAL pricing also provides a good saving over purchasing individual user CAL’s.


I don’t have many gripes about EBS 2008 but it does have some room for improvement. Forefront for Exchange seems a little bit ‘clunky’. Additional Forefront client licenses are required and while pricing is was difficult to get information from Microsoft about this (in New Zealand at least).  Microsoft don’t include a backup solution other than Windows Backup which doesn’t support Exchange or SQL.

I also found that many vendors either don’t know what EBS 2008 is or don’t have upgrade options for software from Small Business Server.


EBS 2008 is a excellent solution for those who have either out grown Small Business Server or are moving from Windows 2000 or 2003 server and have less than 300 users. The time savings for management alone make this bundle well worth considering.