Deployment planning checklist

This planning checklist is designed to help you plan your deployment of Microsoft Forefront Threat Management Gateway before you install and begin configuration steps. It provides a list of matters you should consider relating to:

  • Installation
  • Web Access Policy
  • Exchange Web Client Access
  • Publishing Microsoft® Windows® SharePoint® Server
  • Mail Server Publishing
  • Remote Access VPN

Feature/Issue Planning required

Name resolution

For the Forefront TMG server to function properly, Forefront TMG computer has to be able to resolve names belonging both internally and the Internet. You need to confirm that name resolution is properly configured for your environment before installing Forefront TMG.

For more information about name resolution, see Planning for DNS name resolution.


All network adapters should be properly installed and configured with the appropriate IP addresses.

The required routing entries for your environment should be configured, if required, prior to installing Forefront TMG.

Domain membership

Your authentication requirements and other considerations will determine whether Forefront TMG should be a member of the domain or in a workgroup.

For more information about deployment recommendations for Forefront TMG, see About workgroup or domain considerations.

Hardware requirements

See System requirements.

Software requirements

See System requirements.

Feature/Issue Planning required

Public Host Name

When users are accessing a published site, they need to know the host name to use. In most cases the host name will be a Fully Qualified Domain Name (FQDN) for example, You should select a name that will be easy for your users to remember.

Name resolution

When Forefront TMG faces the Internet, the public host name has to resolve to an IP address that is installed on the Forefront TMG computer. An A record must be created in your DNS server pointing to an IP address on your Forefront TMG computer. If your company’s public DNS Server is being hosted by your ISP or a third party, you will have to consult with them to create this entry.

IP Address

The IP address you selected for name resolution for the public host name has to be configured on the Forefront TMG computer.

An IP Address can only have one certificate bound to it. If you would like to use the same IP address for different sites, you can install a wild card certificate. For more information about certificates, see Certificates on Forefront TMG below.

Certificates on Forefront TMG

To enable encrypted communications between the client and Forefront TMG, a server certificate has to be installed on the Forefront TMG computer. The common name used to generate the certificate has to match the public host name.

For more information about Certificates and Forefront TMG, see Planning certificate deployment.

Certificates Published Web site

In order to enable secure communications between the Forefront TMG computer and the published Web site, a server certificate has to be installed for the published Web site. The Forefront TMG computer must use the common name used in this certificate when referencing the internal Web site, otherwise Forefront TMG will not be able to make the secure connection.

The trusted root certification authority certificate for the CA who issued the certificate installed on the published Web site must be installed on the Forefront TMG computer or the connection will fail.

Kerberos Constrained Delegation

When using KCD as the authentication delegation method, KCD delegation must be configured for the Forefront TMG computer object in Active Directory®.

Authentication Delegation

When you configure authentication delegation, you must match the selected authentication delegation method to a supported method of authentication on the published server.

For more information, see About delegation of credentials.

Feature/Issue Planning required

Forms-based authentication

When Forefront TMG is used to publish Exchange Web client access, forms-based authentication should only be configured on the Forefront TMG computer. Confirm that forms-based authentication is not selected on the Exchange 2007 Client Access Server or the Exchange 2003 Front-End server.

Feature/Issue Planning required

Alternate Access Mapping (AAM)

Alternate access mappings provide a mechanism for SharePoint administrators to identify the different ways in which user’s access portal sites, ensuring that URLs (links) are displayed appropriately for the manner in which the user accesses the portal site. For more information, see Configuring alternate access mappings on a SharePoint server.

Feature/Issue Planning required

MX Record

When publishing a SMTP server you need to properly configure MX records for each domain. The MX record will point to an A record and the A record should point to an IP address configured on the Forefront TMG computer. For more information, see Configuring Mail Protection.

Feature/Issue Planning required

Quarantine Control

Quarantine control enables you to check the health of clients attempting to create a remote access connection. For more information on quarantine control see Configuring NAP based quarantine.