Microsoft Forefront: Protecting Workgroups with Forefront

You can use Microsoft Forefront Threat Management Gateway as intended with Active Directory, or use it to secure a workgroup setting.

Brien Posey

Connectivity yields collaboration, yet it can also yield risk and exposure. You can configure your workers in a workgroup and still protect them, your data and your corporate network with Microsoft Forefront Threat Management Gateway (Forefront TMG) 2010.

While generally regarded as an enterprise-class application set designed for use within an Active Directory environment, you don’t absolutely need to deploy Forefront within Active Directory. You can effectively deploy Forefront TMG in a number of different topologies and for various purposes.

In a workgroup environment, you’ll want to set up Forefront TMG at the network perimeter so it can inspect inbound HTTP and HTTPS packets for malicious content. You can also use it to filter the types of Web sites your users visit.

Because the Forefront TMG server will sit at the network perimeter, it should have a minimum of two network adapters. One adapter will connect to the private network, while the other will connect to the outside world. Microsoft recommends that both of these adapters be configured with a static IP address.

Microsoft designed Forefront to be deployed within a Windows domain. Although you can use it within the context of an enterprise workgroup, there are some minor limitations you would not normally encounter in a domain environment.

For example, if you’re deploying Forefront into a workgroup environment, you won’t be able to use automatic Web proxy detection. Similarly, without an Active Directory domain, you won’t be able to configure Forefront using Group Policy settings. Instead, you’ll have to use local security policies on each individual machine running Forefront.

Other limitations warrant more-careful consideration. For example, computers running Forefront TMG Standard are typically joined to an Enterprise Management Server. However, you can’t perform Enterprise Management Server replication in a workgroup environment.

Certificate Authority

One of the biggest requirements for installing Forefront in a workgroup environment is that you must have a server certificate installed on the Forefront TMG server. Because you’ll only use this certificate internally, Microsoft recommends creating your own Enterprise Certificate Authority as a way of avoiding the costs associated with purchasing a commercial certificate.

Windows Server has everything you need to configure it to act as a Certificate Authority. Given the sensitive nature of server certificates, however, you should deploy certificate services on a server other than the one that will act as your Forefront gateway at the network perimeter.

Once you’ve chosen a server to act as a certificate authority, open the Server Manager. Go to the Roles container and click on the Add Roles link. Windows will launch the Add Roles wizard. Bypass the wizard Welcome screen and you’ll be taken to a screen that asks you to pick the roles that you want to install.

Choose the Active Directory Certificate Services role and click Next. You’ll see a warning message telling you that once you install the Active Directory certificate services, you won’t be able to change the server’s name or domain status.

You’ll be prompted to choose the role services you want to deploy. Choose Certification Authority and Certification Authority Web Enrollment services and click Next.

At this point, Windows will ask you if you want to deploy a standalone or an enterprise certificate authority. Because you’re setting up for a workgroup environment, choose the Standalone option. Click Next, and you’ll be prompted to choose the Certificate Authority type. As this is the first certificate authority in the organization, choose the Root CA option and click Next.

The wizard will now ask you whether you want to create a new private key or use an existing private key. Create a new private key and click Next.

When Windows displays the wizard Cryptography screen, click Next to accept the defaults.  Then you’ll be prompted to supply a common name for the Certificate Authority. Enter the name of your choice and write it down. You’ll need to know this name later on when you deploy Forefront.

You’ll be prompted to select a certificate validity period. Click Next to accept the defaults. The wizard will now ask you to specify a location for the certificate database. Use any location you like, but you must be sure to regularly back up whatever location you choose.

Then the wizard will display an introduction to IIS. Click Next again and you’ll be able to install additional role services for IIS. The required role services are already selected, so just click Next, then Install to deploy the required role services.  When the process completes, click Close.

Preparing Your Server

You’ll need to prepare your server before you install Forefront TMG. Begin by installing all the latest Windows Server patches on your server. This is important to do—Forefront did not install correctly when I inadvertently skipped this step.

Once your server is up-to-date, insert the Forefront TMG 2010 installation media. When Windows displays the Forefront splash screen, click on the Run Preparation Tool link. When you do, Windows will launch the Forefront TMG Preparation Tool wizard.

Bypass the wizard Welcome screen and you’ll be prompted to accept the license agreement. You’ll see the screen shown in Figure 1, which asks you which type of Forefront installation you’ll be performing. Choose the Forefront TMG Services and Management option and click Next.

Figure 1 Choose the ForeFront TMG Services and Management option for installation

Windows will now install any necessary roles and features. When the process completes, make sure the Launch Forefront TMG Installation Wizard check box is selected and then click Finish.

Installing Forefront TMG

Windows will then launch the Forefront TMG Enterprise Installation Wizard. After the Welcome screen and accepting the license agreement, click Next again and you’ll have to provide your product key. Click Next once more and the wizard will ask you to confirm the installation path. Assuming everything looks good, click Next to go to the Define Internal Network screen.

Forefront TMG is designed to be deployed at the network perimeter, so it needs to know which IP addresses are included in your internal network. You can provide your internal address range by clicking the Add button.

At this point, you’ll be taken to the Addresses dialog box. Click the Add Adapters button and then pick the adapter connected to your internal network, as shown in Figure 2. If the adapter is using a dynamic IP address, you may have to go back to the Addresses dialog box and specify your internal address range manually.

Figure 2 Choose the adapter connected to your internal network

When you’ve specified your adapter and all internal IP address ranges, click Next. You may see a warning message telling you you’ll have to restart some services. If you see such a warning, just click Next again.

At this point, you may see a message telling you remote management is being enabled from your IP address. If you see such a message then be sure to make note of the IP address before clicking Next.

You should now see a message telling you you’re ready to install Forefront. Click the Install button and the installation process will begin. As you can see in Figure 2, the wizard provides you with an estimate of how long the installation process will take to complete. When the installation process completes, click Finish.

Configuring Forefront TMG

Now that you’ve installed Forefront TMG, open the Forefront TMG Management console and select the top node in the console tree. Click on the Launch Getting Started Wizard link, located in the Actions pane. When you do, Forefront will launch the Getting Started Wizard, shown in Figure 3.

Figure 3 The Getting Started Wizard walks you through the configuration process

Click the Configure Network Settings button to begin the configuration process, shown in Figure 3. This will launch the Network Setup Wizard. Bypass the wizard’s Welcome screen and you’ll be taken to a screen asking you to select the network template that best represents your topology. Because we’re going to configure the Forefront server to provide perimeter protection, select Edge Firewall as shown in Figure 4.

Figure 4 Select the Edge Firewall option

You’ll be prompted to select the network adapter connected to your internal network. This also lets you specify additional routes, but doing so will rarely be necessary in a workgroup environment.

After making your selection, click Next and you’ll see a screen asking you to choose the network adapter connected to the Internet. Make your selection and click Next, followed by Finish.

Configuring System Settings

Now it’s time to configure your system settings. Click the Configure System Settings button that’s shown in Figure 3. When you do, Windows will launch the System Configuration Wizard.

Bypass the wizard Welcome screen and you’ll see a screen similar to the one shown in Figure 5. In a domain environment, you’d have to provide a domain name and a DNS suffix. Because we’re setting up Forefront in a workgroup, we don’t have to do anything. Click Next, followed by Finish, to complete the system configuration.

Figure 5 Verify that Forefront is configured for a workgroup deployment

Define Deployment Options

The last step in the configuration process is to define the deployment options. Click the Define Deployment Options button shown in Figure 3. When Windows starts the Deployment Wizard, click next to bypass the Welcome screen.

Then you’ll be asked if you want to use Microsoft Update to check for antivirus updates. Choosing Yes is highly recommended. Click Next and you’ll be taken to the screen shown in Figure 6.

Figure 6 Activate the complimentary license and enable malware inspection

As you can see in Figure 6, you must activate your Forefront license. Enable the Network Inspection System, which will look for malicious code at the HTTP/HTTPS packet level. You should also select the Enable Malware Inspection check box; you may also enable URL filtering if you like.

You’ll set an option to control how frequently Forefront checks for antivirus updates. By default, the update will check every 15 minutes. You can also configure a notification if update checks fail over a prolonged period of time.

Then the Wizard will ask you if you want to participate in the Microsoft Customer Experience Improvement Program. Make your selection and click Next, followed by Finish to complete the configuration process. Click Close to close the Getting Started Wizard.

Windows will now automatically launch the Web Access Policy Wizard. This wizard lets you control the types of Web filtering Forefront performs. Click Next to bypass the Welcome screen and you’ll see a screen asking you if you’d like to create a default rule that blocks potentially malicious URLs. Click Yes, followed by Next.

At this point, you’ll see a screen asking you about the types of Web sites to which you’d like to block access. For example, you can block access to sites containing hate speech or anything obscene. The list of blocked content is automatically populated, but you can adjust the list as needed.

Then the wizard will ask you if you want to apply malware inspection rules to the Web Access Policy.  Choosing Yes is recommended, as is selecting the check box to block encrypted ZIP files that could potentially contain malicious files.

You’ll be asked if you want to let users use SSL-encrypted HTTP sessions (HTTPS). Inspecting HTTPS content is recommended, but Forefront cautions that doing so could potentially have legal consequences. Consider your decision carefully.

If you choose HTTPS inspections, you’ll be asked whether or not you want to notify the users of those inspections. You’ll also be informed that a certificate is required for the inspection process.

You can either have Forefront generate a self-signed certificate or use a custom certificate. Using a a self-signed certificate isn’t an option in a workgroup environment, so you should use a custom certificate. Then you’ll have to provide the name of your certificate authority. This is the friendly name you defined when you created the certificate authority, not necessarily the server’s computer name.

Finally, you’ll see a screen indicating that you’ll be forced to manually export and deploy the certificate. Provide the wizard with a destination folder to which the certificate can be downloaded and click Next. When prompted, enable the default Web caching rule to finish the process.

This procedure installs Forefront TMG in such a way that you can have it inspect HTTP/HTTPS packets as they pass through your network perimeter. Keep in mind, however, that Forefront TMG offers many additional features, such as the ability to inspect e-mail messages. This is a simpler deployment suitable for securing workgroups.

Brien Posey*, MVP, is a freelance technical author with thousands of articles and dozens of books to his credit. You can visit Brien’s Web site at brienposey.com.*

Related Content:

• Workgroup and Domain Considerations
• Preparing for Installation
• Configuring Forefront TMG for Workgroup Deployment