Installation design guide for Forefront TMG

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

The Forefront TMG installation design guide is intended to help you plan a new installation of Forefront TMG, or migrate an existing system, according to the requirements of your organization and the specific design that you want to create.

About this guide

This guide is intended for use by security administrators and IT operations engineers who have a good understanding of how Forefront TMG works on a functional level, as well as understanding the organizational requirements that will be reflected in the Forefront TMG design.

Identifying and mapping your installation goals

The following table is designed to help you identify your Forefront TMG installation goals. After you identify the goals that are appropriate for your organization, you can map them to the relevant Forefront TMG design, or designs.

Installation goal Forefront TMG designs
  • Migrate from Internet Security and Acceleration (ISA) Server 2004 to Forefront TMG

  • Migrate from ISA Server 2006 to Forefront TMG

  • Migrate from Forefront TMG Release Candidate (RC) to Forefront TMG Release to Manufacturing (RTM)

  • Upgrade from Forefront TMG Standard Edition to Enterprise Edition

Forefront TMG migration and upgrade paths. For information, see Planning for migration.

Install Forefront TMG.

Forefront TMG installation scenarios and modes. For information, see Planning to install Forefront TMG.

Provision your server hardware.

Forefront TMG hardware recommendations. For information, see Forefront TMG 2010 hardware recommendations.

Integrate Forefront TMG into your existing network topology according to your network security requirements.

Forefront TMG network topologies. For information, see Planning Forefront TMG network topology.

Determine deployment environment.

Domain or workgroup environment. For information, see Workgroup and domain considerations.

Prepare certification infrastructure.

  • Web publishing: authenticating the Forefront TMG computer to the external user.

  • Web publishing: authenticating the backend Web server to the Forefront TMG computer.

  • VPN: L2TP/IPsec or IPsec tunnel.

  • HTTPS inspection.

  • Workgroup environment: server authentication and data encryption.

For information, see Planning for server certificates.

Control Forefront TMG administering and auditing.

Forefront TMG roles and permissions. For information, see About Forefront TMG roles and permissions.

Prepare domain name resolution infrastructure.

Server Domain Name System (DNS). For information, see Planning for domain name resolution.

Prepare internal computers to communicate with the Forefront TMG server.

  • Forefront TMG Client or other Firewall client software.

  • Web proxy client.

  • Secure network address translation (SecureNAT) client.

For information, see About firewall client computers.

Enable internal computers to automatically detect the location of the Forefront TMG server they should use as a Web proxy.

Automatic Web proxy detection. For information, see Planning automatic Web proxy detection.

Concepts

Forefront TMG Planning and Design