About workgroup or domain considerations

Following installation, you can configure Microsoft Forefront Threat Management Gateway as follows:

  • In workgroup mode.
  • As a member of an existing corporate domain.
  • In a dedicated domain that has one-way or two-way trust with the corporate domain configuration.

There are a number of considerations when deciding whether to install in domain or workgroup mode:

  • When access rules require internal clients to authenticate for outbound access, Forefront TMG can authenticate domain user accounts against an Active Directory directory service domain controller. Web proxy requests in a workgroup environment can be authenticated against a RADIUS server.
  • Firewall client requests automatically include user credentials. To authenticate these requests, Forefront TMG should belong to a domain. In a workgroup environment, you can authenticate requests with user accounts that are mirrored to accounts stored in the local Security Accounts Manager (SAM) on the Forefront TMG server, but this requires some administrative overhead for secure management.
  • To authenticate inbound requests to internal Web servers using domain account credentials or certificate authentication, Forefront TMG must belong to a domain. In a workgroup environment, a RADIUS or SecurID server can be used for authentication.
  • To authenticate virtual private network (VPN) requests using domain account credentials or certificates, Forefront TMG must belong to a domain. In a workgroup environment, a RADIUS server can be used for authentication.
  • You can configure VPN client user mapping to map users of operating systems other than Microsoft Windows to domain user accounts. User mapping is only supported when Forefront TMG is installed in a domain.
  • In a domain, you can lock down the Forefront TMG server using Group Policy, rather than by configuring only a local policy.
  • In a domain environment, if Active Directory is compromised, for example by an internal attack, the firewall can also be compromised, because a user with Domain Administrator rights can administer every domain member, including the server running Forefront TMG. Similarly if the firewall is compromised, the domain in which Forefront TMG is located is also at risk. By default, the Domain Admins group is in the Administrators group on the Forefront TMG server.

Forefront TMG is commonly used in the following network topologies:

  • Edge configuration—This includes the following topologies:
    • Forefront TMG protecting the edge, with one adapter connected to the Internal network and the other connected to the External network.
    • A back-to-back configuration, with Forefront TMG as the front firewall protecting the edge, with an adapter connected to the External network and an adapter connected to a perimeter network. A back-end firewall (which may be Forefront TMG or a third-party product) is configured between the perimeter network and the Internal network.
    • A three-legged configuration, with Forefront TMG configured with three network adapters connected to the Internal network, the External network, and a perimeter network.
    At the edge, you can install Forefront TMG as a domain member or in workgroup mode. As a domain member, we recommend that you install Forefront TMG in a separate forest (rather than in the internal forest of your corporate network), with a one-way trust to the corporate forest. This may help the internal forest from being compromised, even if an attack is mounted on the forest of the Forefront TMG computer. There are some limitations with this deployment. For example, you can configure client certificate authentication only for users defined in the Forefront TMG domain, and not for users in the corporate internal domain or forest.
  • Internal configuration—This includes the following topologies:
    • Forefront TMG at the back end in a back-to-back scenario. A typical scenario, with a Forefront TMG server installed at the edge and a second Forefront TMG server installed at the back end, is to install the front-end Forefront TMG server in workgroup mode and the back-end server as a domain member. Installing the back-end server as a domain member enables you to authenticate requests against Active Directory. In addition, you can harden the internal Forefront TMG computer using Group Policy for ease of management.
    • Forefront TMG configured with a single network adapter. In this scenario, Forefront TMG functions as a Web proxy or caching server. The main advantage of installing the Forefront TMG computer as a domain member in this scenario is the ease of use for authenticating users against Active Directory. For more information, see About single network adapter limitations.