Planning to deploy Forefront TMG secure Web gateway
Applies To: Forefront Threat Management Gateway (TMG)
This topic is designed to help you plan the deployment of Forefront TMG secure Web gateway in your organization.
Note
Before you start, make sure that Forefront TMG is installed, configured, and tested in your environment. For information, see the Forefront TMG TechNet Library (https://go.microsoft.com/fwlink/?LinkID=131702).
This topic describes:
Planning your secure Web gateway network topology
Planning for URL filtering
Planning for HTTPS inspection
Planning for updates of protection definitions
Planning to generate Forefront TMG reports
Planning your secure Web gateway network topology
Organizations usually deploy their secure Web gateway inside the network, not at the network’s edge. With Forefront TMG secure Web gateway, the location of Forefront TMG in your network depends on the functionality of your deployment, as follows:
If you use Forefront TMG as a secure Web gateway only, deploy it inside the network. The following Forefront TMG network topologies are recommended for a secure Web gateway-only implementation:
Back firewall—In this topology, Forefront TMG is located at the network’s back end, and another network element, such as a perimeter network or an edge security device, is located between Forefront TMG and the external network.
Single network adapter—This topology provides limited Forefront TMG functionality. In this topology, Forefront TMG is connected to one network only, either the internal network or a perimeter network.
If you use Forefront TMG as both a secure Web gateway and a firewall, deploy it outside the network. The following Forefront TMG network topologies are appropriate for this type of implementation:
Edge firewall—In this topology, Forefront TMG is located at the network edge, where it serves as the organization’s edge firewall, and is connected to two networks: the internal network, and the external network (usually the Internet).
3-Leg perimeter—This topology implements a perimeter network. Forefront TMG is connected to at least three physical networks: the internal network, one or more perimeter networks, and the external network.
For more information, see Planning Forefront TMG network topology (https://go.microsoft.com/fwlink/?LinkId=179309).
Note
Forefront TMG network refers to the physical or logical network on which Forefront TMG is installed.
Planning for URL filtering
URL filtering is subscription based, and is part of the Forefront TMG Web Security Service license. For licensing information, see How to Buy (https://go.microsoft.com/fwlink/?LinkId=179848).
Planning for HTTPS inspection
In order to inspect HTTPS traffic, a certification authority (CA) certificate must be placed on the Forefront TMG server and deployed to all client computers.
You can obtain the certificate in one of two ways:
Generate a self-signed certificate on the Forefront TMG server.
Import a certificate that was issued by either a root CA in your organization, or by a trusted public CA, that is, a CA that is created by an outside entity, such as VeriSign. The certificate must be a Personal inFormation eXchange (.pfx) file, and must be trusted on the Forefront TMG server.
If you intend to import a certificate, place it on the Forefront TMG server prior to the configuration of HTTPS inspection. For information, see Managing HTTPS inspection certificates.
In multiple-array deployments, you generate or import the HTTPS inspection certificate for each of the arrays.
Planning for updates of protection definitions
Malware inspection and Network Inspection System (NIS) use Microsoft product updates to keep protection definitions constantly updated.
Note
Updated definition files are provided by Microsoft Update and are subject to licensing. For licensing information, see How to Buy (https://go.microsoft.com/fwlink/?LinkId=157421).
You can select to update definition files by using either of the following methods:
Microsoft Update—Updates that are released through Microsoft Update are installed on the Forefront TMG computer.
Windows Server Update Services (WSUS)—For Forefront TMG arrays, you can deploy WSUS in the network in which Forefront TMG is deployed. A single server downloads the updates that are released through Microsoft Update, and distributes the updates to all the Forefront TMG computers in the network. This is the recommended update method for Forefront TMG arrays, because it provides centralized management, and saves time and network bandwidth. For more information, see Microsoft Windows Server Update Services 3.0 Overview (https://go.microsoft.com/fwlink/?LinkId=108173).
Note
- You can select to use Microsoft Update if the update from WSUS fails.
- If you join a production Forefront TMG server to an array, download the updates onto the server before joining it to the array.
- You can select to use Microsoft Update if the update from WSUS fails.
For information on how to select the update method, see Managing definition updates for malware inspection and NIS.
By default, Forefront TMG allows traffic to and from Microsoft's various update sites. However, if you experience problems connecting to the Microsoft Update site, see the section “Troubleshooting connectivity to update sites” in Configuring connectivity to update sites (https://go.microsoft.com/fwlink/?LinkId=179312).
Planning to generate Forefront TMG reports
Forefront TMG reporting enables you to summarize and analyze activities on Forefront TMG, including Web usage and the activities of the Forefront TMG protection mechanisms. Report categories for Forefront TMG secure Web gateway include the following:
Web Usage
Malware Protection
URL Filtering
Network Inspection System
For general information on Forefront TMG reports, and for instructions on how to configure and view reports, see Configuring Forefront TMG reports (https://go.microsoft.com/fwlink/?LinkId=179492).