Overview of authentication in Forefront TMG

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

Forefront TMG can allow or deny Web access to resources based on user authentication. Web authentication is used in the following scenarios:

• Web access—Outbound Web proxy requests. For information about the authentication process, see Planning for web access authentication.

• Web publishing—Incoming requests for published servers. For information about the authentication process, see About authentication in Web publishing.

The following table summarizes the methods and servers that are used for both the scenarios.

Authentication method	Web access	Web publishing	Authentication Server
HTTP authentication: Basic	Yes	Yes	Active Directory Domain Services (AD DS) or Remote Authentication Dial-In User Service (RADIUS) Lightweight Directory Access Protocol (LDAP) for incoming requests only
HTTP authentication: Basic	Yes	Yes	AD DS, LDAP, or RADIUS
HTTP authentication: Digest/WDigest	Yes	Yes	AD DS
HTTP authentication: Integrated (NTLM)	Yes	Yes	AD DS
Client certificate	No (requests to upstream proxy server only)	Yes	AD DS
Forms-based authentication	No	Yes	AD DS, LDAP, RADIUS, RADIUS OTP, RSA SecurID

For information about the methods and servers that are used in Web access and Web publishing authentication, see:

• About authentication methods

• About authentication servers

Related Topics

Concepts

Access design guide for Forefront TMG