With the availability of Microsoft’s Forefront Threat Management Gateway (TMG) 2010 on MSDN and as a free trial download from TechNet, I decided it was finally time to install the RTM version and add a TMG post to the ISA & TMG collection here on RetroHack. In this two part post, we will go over the basic installation of the product, with the intended uses of both forward and reverse proxy, VPN termination, and a firewall. The server we’ll build during this post will be used again in future posts. The ISA 2006 posts have been some of the most popular on this blog, so I hope that this one meets with your expectations.
The minimum system requirements can be found here but the highlights are as follows.
| Hardware | MSFT Requirements | RetroHack Recommendations |
| CPU | 64-bit, 1.86 GHz, 2 core (1 CPU x dual core) processor. | Two dual core CPUs |
| RAM | 2 GB, 1 GHz RAM. | 4 GB, 1 GHz RAM. |
| Disk | 2.5 GB available space to install TMG, plus room for caching. | A fast RAID 5 array, or better still, a separate disk for caching. |
| NIC | One NIC | Two Gigabit NICs with TOE, but NO TEAMING |
For our install, we’ll start with a Windows 2008 R2 Standard 64bit system, running a single dual-core Athlon processor, with 2GB of RAM and two network cards. One network card will connect to the Internet by way of a TWC Cable bridge. The other will connect to the internal network.
Before beginning with a TMG install, you will want to have your server build complete, with all patches/updates installed, any third party tools you like to have on a standard system, and of course, antivirus. If you plan on the server being a domain member (and you should,) join the domain before you begin. With two NICs, we will need to make sure that the external NIC is configured with our default gateway provided by the ISP, and if you have more than one subnet on the internal network, the internal NIC should have static routes to all internal addresses already configured. If you don’t remember how to do that, here’s the CLI syntax, old school style. Sorry, but I hate netsh.
route add w.x.y.z mask a.b.c.d m.n.o.p –p [enter]
where w.x.y.z is the CIDR network address, a.b.c.d is the subnet mask, and m.n.o.p is the next hop router address.
I can’t stress this enough: get your networking squared away on this machine BEFORE installing TMG!
If you are directly connected to your server, you should be fine, but if you are using RDP, make sure you connect via IP4, and not IP6. The easiest way to do that is to connect using the ip.addr instead of the FQDN. If you don’t, you get something that looks like this.
Yes, that does raise interesting questions about the IPv6 support in TMG, but that is a topic for another post since I really don’t have a clue why this is a problem. Also, we are a long way from being able to RDP to this server from any host, so once you start, stay on this host to the end.
Mounting the DVD launches the TMG Splash page, which is huge. You are going to want to use a display >1024×768 for this. I love my netbook, but a full screen RDP session is not going to cut it on anything with a display smaller than 1368×768.
As you can see, the installation process is neatly divided up into stages.
This section contains links to the deployment guide, and release notes. I don’t really expect you to read the release notes, but you might want to skim the deployment guide for specific scenarios. This post is more for those of you who want to dive in and see how TMG works, to light the fires and kick the tires, so we are going to dive right into…
This section has three parts, and the first should be fast and easy…running Windows Updates. If you started on the left foot, you are already patched. Click it anyway to be sure. Once you have verified you are fully up to date, the real fun begins! Click the “Run Preparation Tool.” This tool adds/enables the necessary roles and features for TMG, namely
- Network Policy Server
- Routing and Remote Access Services
- Active Directory Lightweight Directory Service Tools
- Network Load Balancing Tools
- Windows PowerShell
- Microsoft .NET Framework 3.5 SP1
- Windows Web Services API
- Microsoft Windows Installer 4.5
- Microsoft Chart Controls for Microsoft .NET Framework 3.5 and 3.5 SP1.
Accept the licensing terms, and click next. Then you are prompted to choose whether you are installing the whole shebang, just the management tools (for you to remotely manage from your workstation) or the Enterprise Management Server, which you can use for storing the configuration of and managing arrays. If you read the deployment guide, you might be planning on several servers with different roles. Since we’re just setting up one to take TMG out for a spin, we’re going to stick with the default. 
Click Next to proceed, and the go for coffee. Mmmm, coffee.
It is by caffeine alone I set my mind in motion.
It is by the extract of Coffea canephora that the thoughts acquire speed, the hands acquire shaking, the shaking is a warning.
It is by caffeine alone I set my mind in motion.
Decent hardware will take only a couple of minutes; lesser oomph may take considerably longer. Once it is done, click Finish to launch the Forefront TMG Installation Wizard. We’re now in the third step of the process…the actual install!. The UAC Prompt might be hiding, so if nothing seems to happen, look for the icon flashing down on the task bar.
This might be the first point where you encounter fail. Remember I warned you to use IP4 for RDP? If you didn’t listen, cancel at this point, reconnect using the ip.addr, and the click the “Run Installation Wizard” link on the splash page.
The wizard is pretty standard for MS at first, so click next, accept the licensing agreement, fill in your user information (the MSDN version is pre-pidded,) and then, once again, you must choose. 
Again, since we’re installing a single server to test things out, we’ll stick with the default and install Forefront TMG services and Management. Now, on a ‘real’ server with lots of different physical disk, you might choose to install TMG to a directory on a dedicated drive, otherwise leave the default path and click next.
Now we reach the point where thought is required. You must define the internal network.
If you have your networking already setup as suggested earlier, just click Add and select your internal interface. If not, you can define all your networks here, or just pick the internal interface anyway, and we can fix the network assignments later. That won’t be covered in this post however, so if you want to be ready to rock by the end of this article, fix your networking now. It’s okay, I’ll wait right here until you get back.
Ready? Click next, and you will see that TMG, like ISA, is smart enough to create a permit rule so you can continue to connect via RDP. However, if you’re a DHCP client, you will want to finish everything before you disconnect, just in case you get back from the long weekend only to pick up a different lease.
Click your way through and let the installing commence! Again, the time this takes is directly related to hardware, so be patient. More coffee would be a good thing now. Mmmm…coffee. I used to be known as the caffeinated mentat…the more you know.
Now this process will take some time, and you will see the gears spinning if you actually choose to sit and watch, but while Core Components did seem to take about 5 minutes, Additional Components took forever. I really mean it when I say go for coffee.
At some point near the end, as TMG starts services, and if you are using RDP, the progress bar will seem to stop. It hasn’t, you’ve just lost your connection. Disconnect and reconnect and you should see this.
Yay! You may now commence the dance of happiness.
But don’t get too excited…we’ve still got a lot of work to do before we are actually done. Click the checkbox to launch the management console and then click finish.
That will be covered in part two of this post, which I intend to have up in the next 48 hours, and should be available at this link. Check back soon!
You might also enjoy:
