Making your firewall access policy is so simple. You should only have a plan.

What you want to do ( Allow / Deny ) for what type of traffic, the source and destination ( either computers or networks) , users or computers.

If you need to have exceptions, this is easily allowed.

Make sure you use a nice description name for the policy you make. Also take care that the policy order makes a difference.

For exmaple:

If we have  two access rules:

. Allow All Traffic

. Deny All Traffic

This order will allow all the traffic.

But, if they are rearranged as

. Deny All Traffic

. Allow All Traffic

This order will deny all the traffic.

Making your first access policy:

When I tried to access my blog website from the machine hosting the  Forefront Threat Management Gateway I couldn’t.

Have a look on the technical information part that shows that Forefront TMG denied the access

Actually, Forefront Threat Management Gateway, considers the hosting machine ( local host ) as a separate network. So, we will make an access rule to allow the web traffic from the hosting machine.

To have a more detailed look on the  protocols, click (Edit)

Select whether you want your HTTP traffic to be inspected for malware or no

Forefront TMG detects the local host machine as a separate network

You can add multiple source networks or users to the same rule if you want so

Click Add. You can choose “External” form the networks part for the whole internet. You can also make a new URL set. Click new

You can make URL sets specifically to access. In this example, I made my blog url in the list. The /* is necessary to access all the webpages in that domain.

The users pane will be of great use if you are on a domain. You will then be able to make access rules to users by selecting their Active Directory accounts

Again my blog is not accessible.

Forefront TMG is very specific. We made an outbound policy that allows the outbound web request. But the reply packets are still rejected.

So, I made the reverse access policy too

My blog is available now, but doesn’t look cool :( . That’s because the background theme, the pics .. etc are stored on Microsoft servers and not on my blog site. So, I made a more flexible to allow inbound web traffic from the whole internet.

Now, all looks fine.

 

ISA server and Forefront were two separate products. But now, they have become one.

Forefront Threat Management Gateway (TMG) adds the malware protection functionality to the ISA server.

This is a little presentation showing the installation step by step on the windows server 2008 64bit that is NOT a part of a domain ( Just to make stuff simpler at first )

First: Unpack the installation application:

Then, Just follow the wizard:

Choose the installation path

Second: Install the software:

Choose “Install Forefront TMG”

. If you have other machines having the Forefront TMG installed and you want to manage them remotely from the computer, choose the “Install Forfront Threat Management Gateway Management Only ”. But, this option doesn’t install the TMG engine.

. In our case, we will install the first option, this installs the engine and the management interface too.

We need all the stuff to be available on the machine.

choose the network adapter connected to your internal network

You can also add different ip address ranges to your internal network

Check the ranges for confirmation before clicking next

Installation Done

Third: Begin configuring you Forefront Threat Management Gateway:

You have three templates. For the sake of this demonstration, we will select the Edge Template. ( NB. The three templates preview is only to understand what is going on. It doesn’t affect your network configuration at all)

If your network settings were not detected automatically, make sure you enter them

Check the settings if you need to change any before clicking finish

Make sure that the machine name and the domain settings ( if you are connected to a domain ) are detected well, otherwise, enter them manually.

You must have your TMG server up to date, to have your network more secure. New attacks and malware updates are available frequently

You can participate if you like ;)

As a first time installation, you may need to use the Web Access Wizard to make policies for your network users web access, but you can uncheck it and begin making the access rules manually the way you like.

Malware inspection for web  traffic is a new feature. It uses the malware engines in Forefront server

Make sure you read the options carefully (Although it is always recommended to make the access rule manually to make sure you are really allowing access to what you really need and nothing more )

You can selectively Deny Access to anywhere ( Will be discussed in more details in a later article)

It is recommended to use the Malware Inspection feature

If you want to allow web caching to minimize the internet traffic for commonly accessed websites. ( will be discussed later in a separate article for using a web caching server )

Now you have Forefront Threat Management Gateway successfully installed

To view the policies, click on the Firewall Policy on the Left side. You will find the access rule we just created using the wizard. Make sure you click the apply button to have the new settings applied

Also, note the default DENY ALL at the bottom of the list. Make sure this policy is always the last one as it will deny all connections that don’t match the policies above. If it is in a higher position, allowed access by other policies below it will be discarded.