Planning for web access authentication

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)


This topic provides an overview of Web access authentication in Forefront TMG. For detailed information and the most up-to-date documentation, please see the Forefront TMG TechNet Library (

Forefront TMG enables you to request internal users to authenticate before they are allowed to access the Internet.

You can use one of the following methods to specify that authentication is required for Web access requests:

  • Require users to authenticate whenever they request Web access. Every Web session requires authentication.

    When using this method, note the following:

    • Anonymous Web access is disabled.

    • Forefront TMG requests user credentials and validates them before it checks the request against the Firewall policy. If users fail to authenticate, their access request is denied.

    • This method is defined per network. Most non-interactive clients, such as, the Windows Update client, cannot authenticate, and are therefore denied access.

  • Require users to authenticate for specific rules—You can configure individual access rules to require authentication, so that authentication is required only for requests that are checked against those rules. Using this method, the requirement to authenticate is part of the access rule. For more information about access rules and processing requests, see Planning to control network access.


If authentication is not required, internal users can access the Internet without identifying themselves.


Overview of authentication in Forefront TMG
Planning for web access