Link to home
Start Free TrialLog in
Avatar of Clint Jones
Clint JonesFlag for United States of America

asked on

Forefront Threat Management Gateway 2010 Enterprise - Step by Step

I need help with the installation and setup of Microsoft Forefront Threat Management Gateway 2010 Enterprise:


- Running 2008 R2:
- It is at the point of just being in a work group and has not moved forward till the next step is explained.  
- TMG 2010 is standing by for install.

I need help with install & setup, Help with the most pressing issue is the active directory vs. Work Group setup.

:::  My network consists of the 5 servers, 3 laptops (Wireless) and 2 desktops and then the Firewall (TMG 2010):

The 4 Servers are for use external clients ranging from email, web and Share Team.

Only one server is going to be used for internal server use. Which an active directory resides but at the moment the laptops and PC's are not using active directory but would like to utilize it soon.

From what I see I have to make the Firewall: TMG 2010  a member server of an already Active Directory Domain Controller in the same Forest etc.

Join the Firewall to the DC controller before I can go further,

Question is can the firewall be its own domain controller in its own domain and be added to another domain controller either in the same forest or a different forest with 2 way trusts setup.

Putting it into work group mode seems to have a many limitations or features that just want be available.

Help with this initial part will be very appreciated.  Please explain as much as possible.
Avatar of strivoli
Flag of Italy image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
to answer the question first
you should add to a domain
do not make the TMG server a Domain controller on its own
this means you can easily do proper authentication and control

as the previous comment say TMG has been end of lifed by microsoft

what are you planning on using it for web proxy or reverse proxy?

MS have reverse proxy options

there are a lot products that will do a web proxy for user browsing
Avatar of Clint Jones


Thank you for your response but I am very aware that MS Forefront TMG has been deprecated.  I am aware of what 2 directions MS is taking forefront and that they have implement protection within their products ie exchange 2013 etc and discontinue TMG according...

However, I looking for help with the original question above... And to add to irweazelwalllis that you can not make a TMG a domain controller will not allow it... I am very familar with ISA 2006 but TMG 2010 only so much...

TMG is going to be the firewall and NAT:  Exchange, Lync and Shareteam 2013 will be behind the firewall.  As well as the office server and PC / laptops...

Ms TMG 2010 is obtained and we are on a server budget so I have to go with this product...

Unless you have some other suggests I need help with this please...
Just to restate the setup:  

Firewall:  MS forefront TMG 2010 on Windows 2008 R2 with 2 NICS

What is behind the firewall;

Server001: MS Server 2012 / Exchange 2013 / Domain Controller: Geek001
Server002: MS Server 2012/ Lync 2013 / Domain Controller: Geek002
Server003: MS Server 2012/ Shareteam 2013 / Domain Controller: Geek003

Server004: MS Server 2012/ Web Only IIS8.0 / Domain Controller: Geek004
Server005: MS Server 2012/ Office Server / Domain Controller: Geek005

PC's, Laptop's, and other devices...

So I am guessing I am guessing I will have to make TMG part of Geek005 domain but how it affect the other domains and other users... Other servers will all be web based access and the PC's will be tied to the Geek005 server??

I need to start the install of TMG because its not secured here and I need the NAT of the 5 static IP address to be sent thur the firewall... is shareteam 2013 work ok with tmg 2010???

Thanks for any and all help...
Is Geek001-5 each a different domain?

to make life easy for the web proxy part i.e. for users browsing through it i would add it to your users domain
If you have users in multiple domains then you will need trusts in to enable you to create user\group controlled ACL for browsing\internet access

Ideally for a reverse proxy you should have a seperate TMG in a workgroup\DMZ domain to publish OWA
But if you are doubleling up roles then for reverse proxy i.e. publishing exchagne and sharepoint it should be fine in that domain as well i don't think you need a trust in place
Thanks and sorry for the delay will be responding back to this question and need help still with the issue... Clint