Configuring application settings for Forefront TMG Clients

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

You can define application settings in Forefront TMG which apply to all computers on which the Forefront TMG Client is installed in networks that are protected by Forefront TMG. Application settings consist of {key, value} pairs that specify how the Forefront TMG Client software behaves with the specific application.

The following procedure describes how to configure new application settings, edit existing application settings, and delete application settings.

To configure application settings for Forefront TMG Client

  1. In the Forefront TMG Management console, in the tree, click Networking, and then click the Networks tab.

  2. In the task pane, on the Tasks tab, under Related Tasks, select Configure Firewall Client Settings.

  3. To configure a new application setting, do the following:

    1. On the Application Settings tab, click New.

    2. On the Application Entry Setting dialog box, enter the application name, key, and value, and then click OK.

  4. To modify an existing application setting, in the Settings list, click the application, and then click Edit. Apply the change and click OK.

  5. To delete an existing application setting, in the Settings list, click the application, and then click Remove.

You can modify application settings in Forefront TMG Management, to apply to all computers on which the Forefront TMG Client is installed.The following table lists the entries that you can include when configuring the Forefront TMG Client application settings. The first column lists the keys that can be included in the configuration files. The second column describes the values to which the keys can be set. Note that some settings can be configured only on the computer which has the Forefront TMG Client installed.

Application Settings

Keys Value

ServerName

Specifies the name of the Forefront TMG server computer to which Forefront TMG Client should connect.

Disable

Possible values: 0 or 1. When the value is set to 1, the Forefront TMG Client application is disabled for the specific client application, except when the Forefront TMG Client configuration explicitly exempts the process initiating traffic.

DisableEx

Possible values: 0 or 1. When the value is set to 1, Forefront TMG Client application is disabled for the specific client application. When set, overrides the Disable setting. For example, for svchost, DisableEx is enabled by default.

Autodetection

Possible values: 0 or 1. When the value is set to 1, Forefront TMG Client application automatically finds the Forefront TMG computer to which it should connect.

NameResolution

Possible values: L or R. By default, dotted domain names are redirected to the Forefront TMG computer for name resolution and all other names are resolved on the local computer. When the value is set to R, all names are redirected to the Forefront TMG computer for resolution. When the value is set to L, all names are resolved on the local computer.

LocalBindTcpPorts

Specifies a TCP port, list, or range that is bound locally.

LocalBindUdpPorts

Specifies a UDP port, list, or range that is bound locally.

DontRemoteOutboundTcpPorts

Specifies an outbound TCP port, list, or range that will not be connected through Forefront TMG (connect requests that will not be sent to Forefront TMG). Use this entry to specify the ports on which clients should not communicate with Forefront TMG. This is useful when protecting the Forefront TMG firewall from attacks on the Internal network, which are spread by accessing a fixed port at random locations.

DontRemoteOutboundUdpPorts

Specifies an outbound UDP port, list, or range that is bound locally.

RemoteBindTcpPorts

Specifies a TCP port, list, or range that is bound remotely.

RemoteBindUdpPorts

Specifies a UDP port, list, or range that is bound remotely.

ProxyBindIP

Specifies an IP address or list that is used when binding with a corresponding port. Use this entry when multiple servers that use the same port need to bind to the same port on different IP addresses on the Forefront TMG computer. The syntax of the entry is:ProxyBindIp=[port]:[IP address], [port]:[IP address] The port numbers apply to both TCP and UDP ports.

ServerBindTcpPorts

Specifies a TCP port, list, or range for all ports that should accept more than one connection.

Persistent

Possible values: 0 or 1. When the value is set to 1, a specific server state can be maintained on Forefront TMG if a service is stopped and restarted and if the server is not responding. The client sends a keep-alive message to the server periodically during an active session. If the server is not responding, the client tries to restore the state of the bound and listening sockets upon server restart.

ForceCredentials

Used when running a Windows service or server application such as Forefront TMG Client. When the value is set to 1, it forces the use of alternate user authentication credentials that are stored locally on the computer that is running the service. The user credentials are stored on the client computer using the FwcCreds.exe application that is provided with Forefront TMG. User credentials must reference a user account that can be authenticated by Forefront TMG, either local to Forefront TMG or in a domain trusted by Forefront TMG. The user account is normally set not to expire. Otherwise, user credentials need to be renewed each time the account expires.

NameResolutionForLocalHost

Possible values: L (default), P, or E. Used to specify how the local (client) computer name is resolved, when the gethostbyname API is called.The LocalHost computer name is resolved by calling the Winsock API function gethostbyname() using the LocalHost string, an empty string, or a NULL string pointer. Winsock applications call gethostbyname(LocalHost) to find their local IP address and send it to an Internet server. When this option is set to L, gethostbyname() returns the IP addresses of the local host computer. When this option is set to P, gethostbyname() returns the IP addresses of the Forefront TMG computer. When this option is set to E, gethostbyname() returns only the external IP addresses of the Forefront TMG—those IP addresses that are not in the local address table.

ControlChannel

Possible values: Wsp.udp or Wsp.tcp (default). Specifies the type of control channel used.

EnableRouteMode

Possible values: 0 or 1 (default). When EnableRouteMode is set to 1 and a route relationship is configured between the Forefront TMG Client computer and the requested destination, the IP address of the Forefront TMG Client is used as the source address. When the value is set to 0, the IP address of the Forefront TMG computer is used.This flag does not apply to older versions of Firewall client.

Concepts

Deploying Forefront TMG Client
Configuring client computers