Overview of Microsoft Forefront Threat Management Gateway 2010
Forefront Threat Management Gateway (TMG) 2010 is built on the architecture of Internet Security and Acceleration (ISA) Server to provide a
full-featured security platform that can be deployed as a web proxy, a remote access gateway, an email relay, or a single-box solution that delivers all these functions. TMG 2010 offers significant enhancements over its predecessor ISA Server 2006 through its ability to work as 64-bit application under Windows 2008 R2, its close integration with Exchange Server 2010 and SharePoint 2010, and its array of new and improved security and management features.
Capabilities of Forefront TMG 2010 include a multi-layer firewall, URL filtering with support for Microsoft Reputation Services, signature-based network protocol inspection, certificate-based HTTPS inspection, and extensive VPN support. TMG 2010 includes advanced web security reporting features and streamlines authentication and policy enforcement via integration with Active Directory.
Progent's Microsoft-certified firewall consultants can help your organization assess the costs and benefits of deploying TMG 2010, design an efficient testing and rollout plan that follows industry best practices, configure TMG 2010 to operate with mission-critical Microsoft applications such as Exchange Server and SQL Server, help you create sensible security policies and configure TMG 2010 to enforce them, set up virtual Windows 2008 R2 servers with Windows Hyper-V to host TMG, create custom reports powered by SQL Server, and deliver ongoing consulting, Help Desk, and troubleshooting services. In addition, Progent can assist you to upgrade to Forefront TMG 2010 from any version of ISA Server.
Editions of Forefront Threat Management Gateway 2010
The Standard Edition of TMG 2010 includes all the functionality of its popular predecessor ISA Server 2006 (see Progent's ISA Server 2006 consulting services) and adds web anti-malware, HTTPS inspection, enhanced email security, a new Network Inspection System (NIS) that includes an unlimited subscription to updates from the Microsoft Malware Protection Center (MMPC), plus support for ISP redundancy.
The Enterprise Edition of TMG 2010 includes a Central Management Console for consolidated control of distributed instances or arrays of TMG 2010 SE. This leverages the management capability of the TMG Enterprise Edition by effectively extending it to lower-cost TMG 2010 SE systems installed at branch offices, remote sites, or network boundaries. The Enterprise Edition is also the only version that supports network load balancing for high availability and improved performance, Cache Array Routing Protocol (CARP) for load-balancing HTTP requests across multiple proxy cache servers, and unlimited virtualized CPUs for lower equipment costs and faster recovery.
The Medium Business Edition (MBE) of TMG 2010 is designed for use with Windows Essentials Business Server to act as a secure web gateway. Unlike ISA 2006, TMG MBE does not support arrays for load balancing and failover and does not allow a non-domain joined gateway. TMG MBE also does not offer TMG SE's support for HTTPS inspection, the Network Inspection System for signature-based protocol inspection, and ISP redundancy.
Deployment Options with Forefront Threat Management Gateway 2010
The flexible architecture and rich feature set of Forefront Threat Management Gateway 2010 supports different deployment options to match the security needs of a broad range of organizations. TMG 2010 can be deployed on multiple servers in an array that synchronize with the same configuration storage for high performance and easy management. Basic options include running TMG 2010 as a secure web gateway, a remote access gateway, a secure email relay, or a single-box unified threat management (UTM) solution that serves all these functions. Capabilities of TMG 2010 that support these deployment options include:
Secure Web Gateway
Web proxy offering authentication and security
Web anti-malware provided with Web Protection subscription service
URL filtering integrated with Microsoft Reputation Services
HTTP filtering and HTTPS traffic inspection
Network Inspection System (NIS) for Internet protocols
Trickling of file content during inspection to prevent web timeouts
Centralized cache management for
Remote Access Gateway
VPN traffic inspection and quarantine
Secure publishing of web servers, internal servers, and Terminal Services
SSL bridging with decryption and recryption
Interoperability with Windows Server 2008 R2 BranchCache for localized web caching
Secure Email Relay
Protection from spam and malware
Email content filtering
Support for Exchange Edge Transport Server (EETS) and Forefront Protection 2010 for Exchange Server (FPES)
Single-server deployment of TMG, EETS and FPES for easy management and edge protection
Native support for Network Load Balancing to improve speed, availability, and manageability
Signature-based protection for SMTP, POP3, IMAP and MIME protocols
Unified Threat Management
Economical single-box security solution for mid-size businesses
Intrusion Protection System (IPS)
New and Improved Features of Forefront Threat Management Gateway 2010
TMG 2010 is built on ISA Server 2006's core capabilities and incorporates important new features and improvements. New and enhanced features provided with the latest version of TMG 2010 include:
Web anti-malware provided by the Web Protection subscription service scans web pages for viruses, malware, worms, and other threats.
URL filtering provided by the Web Protection subscription service controls web site access according to URL categories, allowing you to block sites with dangerous, objectionable, or distracting content.
E-mail protection subscription service based on FPES allows TMG 2010 to act as a secure relay for SMTP traffic, scanning for viruses, malware, spam and content (e.g., executable or encrypted files)
HTTPS inspection examines HTTPS-encrypted web traffic for malware and exploits or to enforce the corporate policy.
Network Inspection System (NIS) protects Microsoft applications from threats embedded in common network protocols including HTTP, DNS, SMB, RPC, and SMTP. TMG 2010 includes an unlimited subscription to the signature library maintained by Microsoft's MMPC team.
Enhanced Network Address Translation (NAT) allows you to designate e-mail servers to be published on a 1-to-1 NAT basis to avoid address incompatibility issues.
SIP traversal allows easier configuration of Voice over IP services inside the network.
Installation on Windows Server 2008 gives Forefront TMG 2010 64-bit support with more memory space and scalability.
New User Activity report documents and categorizes web surfing activity for specified users and time periods.
BranchCache can reduce bandwidth use and improve web performance when TMG 2010 is the Hosted Cache server at the branch office on a Windows 2008 R2 Server.
Secure SharePoint 2010 publishing is now supported on Forefront TMG 2010.
SafeSearch, enforceable on specified groups or company wide, can block objectionable search results including text, images, and videos found by popular search engines.
HTTPS Traffic Inspection
TMG 2010's ability to inspect encrypted HTTPS traffic is a significant enhancement over ISA Server 2006 because HTTPS sessions typically represent 10-15% of total web traffic. With HTTPS inspection, Forefront TMG is able to examine web traffic that has been encrypted within Secure Socket Layer (SSL) tunnels. HTTPS inspection can police inbound and outbound traffic to block viruses and other malware, prevent access to sites with expired certificates, or to thwart attempts to circumvent web access policies by using encrypted tunneling applications over a secure channel.
Forefront TMG provides HTTPS security by standing between the client computer initializing the HTTPS connection and the secure web site. TMG intercepts the client request and creates an SSL tunnel to the target site to validate the site's server certificate. TMG uses the details of the secure site's certificate to create a new SSL certificate and signs it with TMG's HTTPS inspection certificate. TMG then presents the new certificate to the client and uses the certificate to establish a separate rate SSL tunnel. The client will already have the HTTPS inspection certificate in its Trusted Root Certification Authorities certificate store and will trust any certificate signed by this certificate. TMG allows you to exclude designated sites from HTTPS inspection. This is useful, for example, for banking sites or sites that use self-signed certificates. Forefront TMG can also notify users automatically that HTTPS traffic is being inspected.
How Progent Can Help You with Forefront Threat Management Gateway 2010
Progent offers efficient online expertise for all aspects of deploying and supporting Forefront Threat Management Gateway 2020 and can help you follow industry best practices with tasks that include:
Installing Forefront TMG on Windows Server 2008
Installing TMG on a Headquarters Domain Controller or Remote Office Domain Controller
Configuring networks, routing, roles, and permissions
Configuring virtual TMG servers and arrays of TMG servers
Configuring client computers and authentication servers
Creating and configuring firewall policy, access rules, and VoIP settings
Installing BranchCache in TMG
Configuring VPN access and enforcing VPN client health
Publishing Microsoft applications and server roles including Exchange, SharePoint, OWA, and web servers
Enabling malware inspection, exceptions, and definition updates
Configuring HTTPS inspection, exclusions, and certificate updates
Configuring email protection with spam, virus, and content filtering
Administering, monitoring, and backing up TMG
Setting up load balancing and establishing redundant ISPs for high availability and performance
Creating standard and custom management reports
Progent can also help you migrate smoothly to Forefront Threat Management Gateway from any version of ISA Server and can provide webinar training as well as ongoing consulting, support, and troubleshooting services.
Contact Progent for Microsoft Forefront Threat Management Gateway 2010 Solutions
For more information about how Progent can help you with Forefront TMG, call 800-993-9400 or contact email@example.com
Progent's Support Services for Microsoft .NET Server Technology
For small companies across the U.S., Progent's Microsoft-authorized experts can provide network help and professional consulting support for the entire array of Microsoft .NET Enterprise Servers, Windows 2012 Server, Microsoft Windows 2008 R2 Server, and Microsoft Windows 2003 Server. Progent's migration, installation, optimization, and support services cover network architecture, configuration, and management outsourcing for
project analysis and documentation, on-site and off-site
technical support and system diagnosis,
Help Desk Call Center Support, certified
security consulting, turn-key
application server hosting services.