Manually configuring Stirling to work with Forefront Threat Management Gateway

  • Article

[This topic is pre-release documentation and is subject to change in future releases. Blank topics are included as placeholders.]

Microsoft Forefront Threat Management Gateway is the advanced, stateful packet and application-layer inspection firewall that enables you to protect your network edge while providing policy-based Internet access, Web caching, secure access to corporate servers, and virtual private network (VPN). Stirling provides security monitoring based on security assessment services from multiple asset protection technologies for your Forefront TMG servers.

For this beta release, you can configure one computer running Forefront TMG to work with your Stirling server. You can configure Stirling's response policy to include Forefront TMG by editing the response using Stirling's Dashboard and then deploying the policy to Forefront TMG through the Stirling agent. The Stirling assessment agent on the Forefront TMG server returns assessment information to Stirling, allowing you to view assessments generated by Forefront TMG as well as any action taken by Forefront TMG.

When you configure Forefront TMG to work with Stirling, the computer running Forefront TMG is automatically added to a Stirling group. You cannot add the computer running Forefront TMG to any other Stirling groups.

Configuring Forefront TMG for Stirling

This section describes the general steps you need to complete to configure Forefront TMG to work with Stirling.

To configure Forefront TMG to work with Stirling

  1. Install the Stirling server components. For instructions, see Deploying Stirling server components.

  2. Install and configure Forefront TMG on a separate computer, according to the Forefront TMG installation instructions. The computer on which you install Forefront TMG must also have Microsoft .NET Framework version 3.0 installed. In addition, when you install Forefront TMG, use credentials that have local administrative privileges on the computer running the Stirling server.

  3. Enable Microsoft Message Queuing (also known as MSMQ) on the computer running Forefront TMG. For instructions, see Enabling MSMQ for Forefront TMG in order to work with Stirling.

  4. On the computer running Forefront TMG, deploy and configure the Operations Manager agent, Stirling agent, and the Asset Protection System (APS), as described in Deploying the SCOM and Stirling agents, and Asset Protection System (APS) on the computer running Forefront TMG.

  5. Configure Forefront TMG as a Stirling managed asset by approving the computer running Forefront TMG in Operations Manager. Specifically, you mark the agents running on Forefront TMG server as managed in Operations Manager, as described in Configure Forefront TMG as a Stirling managed asset by approving the manually installed SCOM agent.

  6. Approve Forefront TMG as a Stirling component in order to enable the Stirling server to send and receive security assessments to and from the computer running Forefront TMG, as described in Approving Forefront TMG as a Stirling component.

  7. In the Stirling console, on the Dashboard view, verify that Stirling and Forefront TMG are communicating, as described in Validating communication between the Stirling and Forefront TMG servers.

Enabling MSMQ for Forefront TMG in order to work with Stirling

Before you configure Forefront TMG and Stirling to work together, you need to configure Message Queuing on the computer running Forefront TMG. Message Queuing is a system service that enables high-volume event processing. This section provides instructions for enabling Message Queuing on Forefront TMG.

To enable Message Queuing on the Forefront TMG server

  1. Using credentials that have local administrative privileges on the computer running Forefront TMG and the Stirling server, log on to the computer running Forefront TMG.

  2. Click Start, point to Administrative Tools, and then click Server Manager. The Server Manager runs.

  3. Click Add Features to start the Add Features Wizard.

  4. Expand MSMQ, expand MSMQ Services, and then select the check boxes for the following Message Queuing features:

    • Microsoft Server Message Queue Server
    • MSMQ Active Directory Domain Services Integration
    • MSMQ HTTP Support
    • Multicasting Support
    • MSMQ Triggers

  5. Click Next, and then click Install.

  6. If you are prompted to restart the computer, click OK to complete the installation.

Deploying the Operations Manager agent, Stirling agent, and Asset Protection System (APS) on the computer running Forefront TMG

For this beta release, the APS includes only the Stirling assessment agent (also knows as Enterprise Security Assessment Sharing (ESAS) agent). ESAS uses security assessments in order to create a common language for security endpoints to share critical data about IT assets, including computers and user accounts. For Forefront TMG, a security assessment is based on actual events observed on the computer running Forefront TMG. When sufficient evidence is collected, the Stirling assessment agent triggers a security assessment summarizing the observation and sends it to Stirling, based on the ESAS policies you define.

You need to deploy the Operations Manager agent and Stirling agent, as well as APS, on the computer running Forefront TMG in order to enable ESAS security assessments and before you can establish the computer running Forefront TMG as a Stirling managed server.

To deploy the Operations Manager agent, Stirling agent, and APS on the Forefront TMG server

  1. Using a domain account that has local administrative privileges, log on to the computer running Forefront TMG. Use the same credentials you used to install Forefront TMG. For this beta release, these credentials must also have local administrative privileges on the Stirling server.

  2. Copy the Stirling x64 edition agent installation file, FSysAgentPackage.exe, to your local hard drive. This file is stored on the Stirling CD in the following location:

    CD drive \Forefront codename Stirling & Next Generation FCS\x64\client

  3. Click Start, right-click Command Prompt, and then click Run as administrator.

  4. From the command line, change to the directory where you copied FSysAgentPackage.exe. For example:

    cd C:\temp\

  5. Run FSysAgentPackage.exe as follows:

    FSysAgentPackage.exe /MG < SCOM management group > /MS < SCOM management server > [/I < Install directory >] [/L < Log directory >]

    where,

    • SCOM Management group is the name of the Operations Manager management group on the Stirling server. This parameter is required.
    • SCOM management server is the fully qualified domain name of the computer running the Operations Manager management server. For this beta release, this must be the name of the computer on which you installed Stirling. This parameter is required.
    • Install directory is the path to the folder in which you want to install the Stirling client components. This parameter is optional. If you do not provide a path, the agents are installed in the following folder:
      %Program Files%\Microsoft Forefront\Forefront System\Client
    • Log directory is the path to the folder in which you want to store the Stirling log files. This parameter is optional. If you do not provide a path, the logs are stored in the following folder:
      %Program Files%\Microsoft Forefront\Forefront System\Logs

  6. At the command prompt, change to the Forefront TMG folder on the Stirling CD:

    CD drive \Forefront codename Stirling & Next Generation FCS\x64\tmg

  7. Install the ESAS agent as follows:

    msiexec /i EsasISA.msi <Log Directory> coredbserver= <StirlingServerName> isadbinstance=MSFW

    where,

    • <Log directory> is the path to the folder in which you want to store the ESAS agent installation log file. For example:
      C:\Install_EsasISA.MSI.log
    • <StirlingServerName> can be either the fully qualified domain name or the NetBIOS name of the computer running Stirling.
    • isadbinstance must be MSFW.

    If you are installing on a machine that has no internet connectivity, the ESAS service may fail to start within 30 seconds, causing ESAS agent installation to fail. To work around this, minimize the default network timeout setting and then install the ESAS agent. For more information and specific instructions, see Digitally signed components causing slow startup of applications when there is no network connectivity (https://support.microsoft.com/kb/941990).

Configure Forefront TMG as a Stirling managed asset by approving the manually installed Operations Manager agent

After installing the Operations Manager agent on the computer running Forefront TMG, you need to approve the agent in the Operations Console in order to configure it as a managed asset. If you configured Operations Manager to auto-approve new manually installed agents, no further action is required. If you configured Operations Manager to set new manual agent installations as pending, you need to approve the Operations Manager agent you installed by using the Operations Console.

To approve the pending Operations Manager agent for Forefront TMG

  1. Using credentials that have administrative privileges, log on to the Operations Manager server.

  2. Click Start, and then click Operations Console. The Operations Console appears.

  3. Select the Administration view.

  4. In the left pane, in the tree, click Pending Management. The Pending Management pane appears, displaying a list of all pending agent installations.

  5. Select the ESAS agent in the list.

  6. In the Actions pane, click Approve, and then click Approve again to confirm.

  7. In the left pane, in the tree, click Agent Managed, and confirm that the ESAS agent appears in the Agent Managed pane.

Approving Forefront TMG as a Stirling component

After deploying APS to the computer running Forefront TMG, you need to configure the computer as a Stirling component. When you do this, you add the Stirling server to the assessment sharing channel, enabling the server to send and receive security assessments to and from the computer running Forefront TMG.

To approve Forefront TMG as a Stirling component

  1. Using credentials that have local administrative privileges, log on to the Stirling server. The computer must be domain joined.

  2. Click Start, point to All Programs, point to Windows PowerShell 1.0, and then click Windows PowerShell.

  3. To set the execution policy to allow the script to run, enter the following command:

    Set-executionpolicy unrestricted

    By default, PowerShell execution policy is set to "restricted", which prevents you from running any scripts.

  4. To change to the directory that contains the Register-Agents.ps1 script, use the set-location cmdlet. If you chose the default directory during installation, use the following command:

    Set-location "C:\Program Files\Microsoft Forefront\Forefront System\Server\ESAS\Binaries\"

  5. Run the Register-Agents.ps1 PowerShell script:

    .\Register-Agents.ps1

  6. When prompted, type Yes to confirm that you want to join the computer running Stirling to the assessment sharing channel, and then press ENTER.

    If you receive the following error, you need to wait a few minutes and run the script again:

    Computername is not recognized by the Forefront System. Please validate computername was discovered successfully by SCOM and that "Forefront System Agent" is installed.

  7. When the script completes, you should reset the execution policy in one of the following ways:

    At the command prompt, enter the following command in order to disallow all scripts:

    Set-executionpolicy restricted

    At the command prompt, enter the following command in order to disallow only unsigned scripts but allow signed scripts:

    Set-executionpolicy allsigned

Validating communication between the Stirling and Forefront TMG servers

You validate communication between Forefront TMG and Stirling by checking the "Health monitoring" control in the Stirling console's Dashboard. For instructions on launching the Stirling console, see Verifying installation by using the Stirling console.