Release Notes for Forefront TMG 2010 RTM

Published: November 15, 2009

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

These release notes address late-breaking issues and information about installing, deploying, configuring and operating Microsoft Forefront Threat Management Gateway (Forefront TMG). It is essential that you read the information contained in this document, and review System requirements for Forefront TMG, before installing Forefront TMG.

The following sections describe issues that relate to:

Migration, installation, and deployment

The following issues relate to the migration, installation, and deployment of Forefront TMG:

Migrating from Forefront TMG RC to RTM

You must uninstall any existing installations of Forefront TMG Release Candidate (RC) before you can install Forefront TMG Release to Manufacturing (RTM). For information, see Migrating from Forefront TMG RC to RTM.

Upgrading an evaluation version of Forefront TMG which was installed from a folder share to the licensed version of Forefront TMG RTM

If you installed the Forefront TMG evaluation version from a share folder, you cannot upgrade to the licensed version of Forefront TMG RTM directly from the Forefront TMG DVD media. In this case, in order to upgrade to the licensed version of Forefront TMG RTM, you must copy the RTM version to a share folder and run the upgrade from the folder.

Running Forefront TMG installation from a network share

Running the Forefront TMG installation from a network share might result in failure due to the unsuccessful extraction of the SQL Express 2008 SP1 package.

If this happens, do the following:

  1. On the error message, click OK.

  2. After the Forefront TMG rollback, run the installation again.

  3. If the installation fails again, copy the installation file to the Forefront TMG server and run the installation locally, or run it from the installation DVD.

Installation of Microsoft .NET Framework 3.5 SP1 on Windows Server 2008 SP2

This note applies only to the installation of Forefront TMG on a computer that is running Windows Server® 2008 SP2. In this setup, in order for the Forefront TMG Preparation Tool to install .NET Framework 3.5 SP1 as part of the installation of prerequisite software, the Internet connection must be configured so that the proxy does not require authentication. For example, for a Forefront TMG proxy or an Internet Security and Acceleration Server 2006 proxy, add an access rule that allows the IP of the computer that runs the Preparation Tool. Note that the rule should be added before the rule that requires authentication. For information, see Creating an access rule.

Windows Filtering Platform error message following a computer or Forefront TMG services restart

After you restart the Forefront TMG computer or services, the following error message might be displayed:

“Forefront TMG detected Windows Filtering Platform filters that may cause policy conflicts on the server. The following providers may define filters that conflict with Forefront TMG firewall policy: Microsoft Corporation.”

If this message is displayed, disable the alert from appearing again, since it does not indicate a real conflict.

Installing the Management console

Installation of the Forefront TMG Management console is not supported on Windows® XP. Installation of the console is supported on Windows Vista®, Windows Server 2008, Windows Server® 2008 R2, and Windows 7 operating systems.

Forefront TMG arrays

  • When you install Forefront TMG on a computer on which any of the Forefront TMG computer network interface addresses are DHCP-assigned, the installation process automatically adds the relevant network objects to the system policy Network Services group, in the DHCP rule source context. If you then join the standalone server to a Forefront TMG array, the server’s local policies are replaced by the array’s policy set. Unless the array system policy includes the same DHCP policy as defined in the standalone policies, the server that joined the array may eventually lose the DHCP-assigned IP address, and communication to and from those networks will fail.

    To prevent this problem, duplicate the standalone DHCP system policy configuration in the array system policy, before you join the standalone server to the array.

  • This release does not support the replication of an Enterprise Management Server to an ISA Server Configuration Storage server.

  • When you remove a server from an array (disjoin operation), if the alert "IsaManagedCtrl service failed to reload configuration" is displayed, you do not need to dismiss it or take any other action. The disjoin operation continues without interruption.

Update Center configuration following upgrade from Forefront TMG RC

Forefront TMG Update Center configuration settings are not migrated when upgrading from Forefront TMG RC to Forefront TMG RTM. After the upgrade is complete, you must reconfigure those settings. For information, see Managing definition updates for Forefront TMG.

Installing Forefront TMG on a computer where Windows updates were previously installed

If Windows updates were installed on the computer on which you want to install Forefront TMG, restart the computer before running any of the Forefront TMG installation tools; that is, before running the Preparation Tool or the Installation Wizard.


Before uninstalling Forefront TMG, note the following:

  • You must close all applications running on the computer before starting the uninstall process.

  • After initiating uninstall, do not attempt to cancel it. If uninstall is canceled while in progress, further attempts to uninstall the product may fail and it might be necessary to reinstall the operating system.

Configuration and operations

The following issues relate to the configuration and operation of Forefront TMG:

Adding and deleting IP addresses

When you try to add or delete IP addresses, the IP address-changing operation may stop responding; in which case, you would need to restart the Forefront TMG server. To avoid this, it is recommended that you install a hotfix that is provided by Microsoft. For information, see An IP address-changing operation stops responding on a computer that is running Windows Vista or Windows Server 2008 until you restart the computer (

Server authentication certificates

You cannot use certificates that were issued using a template of Type Minimum Windows 2008 Supported CA to create a Forefront TMG Web listener; for example, for Web application publishing or Secure Socket Tunneling Protocol (SSTP) VPN access.

Malware protection

  • The malware protection feature blocks the SHOUTcast streaming (ICY) protocol. Client applications that depend on this protocol, such as Nullsoft Winamp, will not work behind Forefront TMG. You can fix this problem by exempting the URLs for the streaming media from malware protection.

  • Some online video players may not function when malware protection is implemented. This could be related to the Content-Type header sent by the server. To resolve this issue, try specifying audio/mp4 as a content type that uses the fast trickling delivery method. For information, see Configuring malware inspection content delivery.

Virtual Private Network

  • This note is relevant for Internet Protocol Security (IPsec) site-to-site Virtual Private Networks (VPNs) on a Forefront TMG array that uses Network Load Balancing (NLB). In this setup, if the Forefront TMG server that serves as the tunnel owner fails (for example, due to lack of network connectivity), and a fallback Forefront TMG server assumes ownership of the tunnel, the following traffic is not resumed:

    • Web traffic from the local site where the failure occurred to the remote site. To prevent Web traffic loss, disable the Web proxy for Web traffic between the sites.

    • Any traffic from the local site to remote sites with which it has a Network Address Translation (NAT) relationship. To prevent loss of NATed traffic, configure a route relationship between remote sites.

  • RADIUS or VPN authentication might not function for localized user names in deployments in which the Network Policy Server (NPS) is installed on Windows Server 2008 R2. This is because NPS on Windows Server 2008 R2 uses Unicode for all authentication methods by default, while legacy clients or authentication methods other than Extensible Authentication Protocol use ANSI. To prevent this problem, configure both the NPS server and the connecting client to support ANSI instead of Unicode. For information, see I cannot connect when my user name contains Unicode characters (

  • Routing and Remote Access service (RRAS) might crash when several connections are established concurrently on a Forefront TMG server that is installed on a computer running Windows Server 2008 SP2. When this service crashes, all existing virtual private network (VPN) connections are terminated and no new VPN connections can be established. To recover from this, you must manually restart the Forefront TMG server. To avoid this problem, it is recommended that you install a hotfix that is provided by Microsoft. For information, see The Routing and Remote Access service may crash when there are several connections established concurrently on a computer that is running Windows Server 2008 (

VoIP/SIP Filter

  • Forefront TMG does not support the following:

    • Packet8 VoIP services.

    • Use of a Linksys PAPT2 phone with the CallCentric ITSP Internet Telephony Service Provider.

  • The quota for concurrent calls and registrations for internal IP addresses also affects external IPs, which means that, by default, only 10 calls can be received from ITSP at the same time. You can change this, as follows:

    1. In the Tasks pane of the Firewall Policy node, click Configure VoIP Settings.

    2. Click Configure SIP Quotas.

    3. Edit the Max number of registrations for specific IP address and Max number of calls for specific IP address to specify an appropriately large number.

  • VoIP Wizard should only be used when there is a ROUTE or SAME network relationship between the internal SIP components (telephones, IPPBXs and SIP gateways).

  • When the Internal PBX is in a network that is not NLB-enabled, and the phones are in an NLB-enabled network, calls will fail.

  • In deployments where the internal PBX is connected to PSTN via a SIP Trunk, SIP messages, for example calls that the internal PBX sends via ports other than 5060, are not handled.

  • In deployments that use a Session Border Controller (SBC), the SBC must be located in the external network. For example, it cannot be located in a perimeter network.

  • When IP routing is disabled, media to and from endpoints is available for no longer than 15 minutes, by default. To extend the time that the media is available, do the following:

    1. Access the following registry key:


    2. Change the value of the key to the required time. Note that time is defined by milliseconds, for example, the value for the default 15 minutes is 9000000.

Network Inspection System

Network Inspection System (NIS) definition updates are no longer supported on Forefront TMG Beta 3. To ensure regular updates, upgrade your system to Forefront TMG Release To Manufacturing (RTM).

Internet Protocol security (IPsec)

The default IPsec tunnel mode settings are not suitable for site-to-site virtual private network (VPN) connections between a Forefront TMG computer and an Internet Security and Acceleration (ISA) Server 2006 computer, because the servers have different default IPsec settings. Trying to establish a VPN connection between the sites by using the default settings will not succeed.

In such a deployment, make sure you modify the IPsec settings on the Forefront TMG server to match those on the ISA Server 2006 computer.


In ISA Server 2006 and 2004, the administrator had the option to require 128-bit encryption for HTTPS traffic. This is not necessary in Forefront TMG, because Windows Server 2008 requires at least this level of encryption for Secure Sockets Layer connections; therefore this option has been removed from all Forefront TMG releases.

Third-party add-ins

If you are running an add-in developed by a third-party vendor for a previous version of ISA Server, contact the provider to check on the availability of an updated version for Forefront TMG.

Logging and reporting

  • When you publish reports to a directory on the Forefront TMG server, you must add the SYSTEM account to the file sharing permissions of the directory to ensure that Forefront TMG will be able to publish the reports to the directory.

  • If your Forefront TMG deployment handles high volumes of traffic, you might need to change the default time of the Forefront TMG recurring report jobs from 1:00 to a later time, such as 3:00, to allow sufficient time to generate report summary data for the reporting summary that is scheduled to begin at 00:30.

  • The Forefront TMG default log maintenance policy defines the total size of logs files that the system saves before deleting old logs, as 8GB. For most organizations, this value is insufficient for the following log storage formats:

    • SQL Server Express Database

    • File

    To allow sufficient storage space for these logs, do one of the following, for both firewall logging and Web proxy logging:

    • Disable the option Limit total size of log files.

    • Disable the option Limit total size of log files, assess your storage needs over a period of one week, and then enable this option again and set storage to the required size.

    For details, see Configuring Forefront TMG logs.

  • TCP port 8008 is used for reporting purposes; assigning this port for any other purpose will interfere with Forefront TMG reporting services.


Narrator does not read text on the middle and right panes of the Forefront TMG Management console.

Copyright information

Information in this document, including URL and other Internet Web site references, is subject to change without notice and is provided for informational purposes only. The entire risk of the use or results from the use of this document remains with the user, and Microsoft Corporation makes no warranties, either express or implied. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

© 2009 Microsoft Corporation. All rights reserved.

Microsoft, Forefront, SQL Server, Windows, Windows XP, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

All other trademarks are property of their respective owners.

Related Topics