Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

Planning to deploy Forefront TMG secure Web gateway

Updated: February 1, 2010

Applies To: Forefront Threat Management Gateway (TMG)

This topic is designed to help you plan the deployment of Forefront TMG secure Web gateway in your organization.

noteNote:
Before you start, make sure that Forefront TMG is installed, configured, and tested in your environment. For information, see the Forefront TMG TechNet Library (http://go.microsoft.com/fwlink/?LinkID=131702).

This topic describes:

Planning your secure Web gateway network topology

Organizations usually deploy their secure Web gateway inside the network, not at the network’s edge. With Forefront TMG secure Web gateway, the location of Forefront TMG in your network depends on the functionality of your deployment, as follows:

If you use Forefront TMG as a secure Web gateway only, deploy it inside the network. The following Forefront TMG network topologies are recommended for a secure Web gateway-only implementation:

  • Back firewall—In this topology, Forefront TMG is located at the network’s back end, and another network element, such as a perimeter network or an edge security device, is located between Forefront TMG and the external network.

    Forefront TMG back firewall topology

  • Single network adapter—This topology provides limited Forefront TMG functionality. In this topology, Forefront TMG is connected to one network only, either the internal network or a perimeter network.



    Forefront TMG single network adapter topology

If you use Forefront TMG as both a secure Web gateway and a firewall, deploy it outside the network. The following Forefront TMG network topologies are appropriate for this type of implementation:

  • Edge firewall—In this topology, Forefront TMG is located at the network edge, where it serves as the organization’s edge firewall, and is connected to two networks: the internal network, and the external network (usually the Internet).

    Forefront TMG edge firewall topology

  • 3-Leg perimeter—This topology implements a perimeter network. Forefront TMG is connected to at least three physical networks: the internal network, one or more perimeter networks, and the external network.



    Forefront TMG 3-Leg perimeter topology

For more information, see Planning Forefront TMG network topology (http://go.microsoft.com/fwlink/?LinkId=179309).

noteNote:
Forefront TMG network refers to the physical or logical network on which Forefront TMG is installed.

Planning for URL filtering

URL filtering is subscription based, and is part of the Forefront TMG Web Security Service license. For licensing information, see How to Buy (http://go.microsoft.com/fwlink/?LinkId=179848).

Planning for HTTPS inspection

In order to inspect HTTPS traffic, a certification authority (CA) certificate must be placed on the Forefront TMG server and deployed to all client computers.

You can obtain the certificate in one of two ways:

  • Generate a self-signed certificate on the Forefront TMG server.

  • Import a certificate that was issued by either a root CA in your organization, or by a trusted public CA, that is, a CA that is created by an outside entity, such as VeriSign. The certificate must be a Personal inFormation eXchange (.pfx) file, and must be trusted on the Forefront TMG server.

If you intend to import a certificate, place it on the Forefront TMG server prior to the configuration of HTTPS inspection. For information, see Managing HTTPS inspection certificates.

In multiple-array deployments, you generate or import the HTTPS inspection certificate for each of the arrays.

Planning for updates of protection definitions

Malware inspection and Network Inspection System (NIS) use Microsoft product updates to keep protection definitions constantly updated.

noteNote:
Updated definition files are provided by Microsoft Update and are subject to licensing. For licensing information, see How to Buy (http://go.microsoft.com/fwlink/?LinkId=157421).

You can select to update definition files by using either of the following methods:

  • Microsoft Update—Updates that are released through Microsoft Update are installed on the Forefront TMG computer.

  • Windows Server Update Services (WSUS)—For Forefront TMG arrays, you can deploy WSUS in the network in which Forefront TMG is deployed. A single server downloads the updates that are released through Microsoft Update, and distributes the updates to all the Forefront TMG computers in the network. This is the recommended update method for Forefront TMG arrays, because it provides centralized management, and saves time and network bandwidth. For more information, see Microsoft Windows Server Update Services 3.0 Overview (http://go.microsoft.com/fwlink/?LinkId=108173).

    noteNote:
    • You can select to use Microsoft Update if the update from WSUS fails.

    • If you join a production Forefront TMG server to an array, download the updates onto the server before joining it to the array.

For information on how to select the update method, see Managing definition updates for malware inspection and NIS.

By default, Forefront TMG allows traffic to and from Microsoft's various update sites. However, if you experience problems connecting to the Microsoft Update site, see the section “Troubleshooting connectivity to update sites” in Configuring connectivity to update sites (http://go.microsoft.com/fwlink/?LinkId=179312).

Planning to generate Forefront TMG reports

Forefront TMG reporting enables you to summarize and analyze activities on Forefront TMG, including Web usage and the activities of the Forefront TMG protection mechanisms. Report categories for Forefront TMG secure Web gateway include the following:

  • Web Usage

  • Malware Protection

  • URL Filtering

  • Network Inspection System

For general information on Forefront TMG reports, and for instructions on how to configure and view reports, see Configuring Forefront TMG reports (http://go.microsoft.com/fwlink/?LinkId=179492).

Related Topics

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.