Avatar of Clint Jones
Clint JonesFlag for United States of America asked on

Forefront Threat Management Gateway 2010 Enterprise - Step by Step

I need help with the installation and setup of Microsoft Forefront Threat Management Gateway 2010 Enterprise:


- Running 2008 R2:
- It is at the point of just being in a work group and has not moved forward till the next step is explained.  
- TMG 2010 is standing by for install.

I need help with install & setup, Help with the most pressing issue is the active directory vs. Work Group setup.

:::  My network consists of the 5 servers, 3 laptops (Wireless) and 2 desktops and then the Firewall (TMG 2010):

The 4 Servers are for use external clients ranging from email, web and Share Team.

Only one server is going to be used for internal server use. Which an active directory resides but at the moment the laptops and PC's are not using active directory but would like to utilize it soon.

From what I see I have to make the Firewall: TMG 2010  a member server of an already Active Directory Domain Controller in the same Forest etc.

Join the Firewall to the DC controller before I can go further,

Question is can the firewall be its own domain controller in its own domain and be added to another domain controller either in the same forest or a different forest with 2 way trusts setup.

Putting it into work group mode seems to have a many limitations or features that just want be available.

Help with this initial part will be very appreciated.  Please explain as much as possible.
Microsoft Forefront ISA ServerWindows Server 2008

Avatar of undefined
Last Comment
Clint Jones

8/22/2022 - Mon

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question

to answer the question first
you should add to a domain
do not make the TMG server a Domain controller on its own
this means you can easily do proper authentication and control

as the previous comment say TMG has been end of lifed by microsoft


what are you planning on using it for web proxy or reverse proxy?

MS have reverse proxy options

there are a lot products that will do a web proxy for user browsing
Clint Jones

Thank you for your response but I am very aware that MS Forefront TMG has been deprecated.  I am aware of what 2 directions MS is taking forefront and that they have implement protection within their products ie exchange 2013 etc and discontinue TMG according...

However, I looking for help with the original question above... And to add to irweazelwalllis that you can not make a TMG a domain controller will not allow it... I am very familar with ISA 2006 but TMG 2010 only so much...

TMG is going to be the firewall and NAT:  Exchange, Lync and Shareteam 2013 will be behind the firewall.  As well as the office server and PC / laptops...

Ms TMG 2010 is obtained and we are on a server budget so I have to go with this product...

Unless you have some other suggests I need help with this please...
Clint Jones

Just to restate the setup:  

Firewall:  MS forefront TMG 2010 on Windows 2008 R2 with 2 NICS

What is behind the firewall;

Server001: MS Server 2012 / Exchange 2013 / Domain Controller: Geek001
Server002: MS Server 2012/ Lync 2013 / Domain Controller: Geek002
Server003: MS Server 2012/ Shareteam 2013 / Domain Controller: Geek003

Server004: MS Server 2012/ Web Only IIS8.0 / Domain Controller: Geek004
Server005: MS Server 2012/ Office Server / Domain Controller: Geek005

PC's, Laptop's, and other devices...

So I am guessing I am guessing I will have to make TMG part of Geek005 domain but how it affect the other domains and other users... Other servers will all be web based access and the PC's will be tied to the Geek005 server??

I need to start the install of TMG because its not secured here and I need the NAT of the 5 static IP address to be sent thur the firewall... is shareteam 2013 work ok with tmg 2010???

Thanks for any and all help...
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck

Is Geek001-5 each a different domain?

to make life easy for the web proxy part i.e. for users browsing through it i would add it to your users domain
If you have users in multiple domains then you will need trusts in to enable you to create user\group controlled ACL for browsing\internet access

Ideally for a reverse proxy you should have a seperate TMG in a workgroup\DMZ domain to publish OWA
But if you are doubleling up roles then for reverse proxy i.e. publishing exchagne and sharepoint it should be fine in that domain as well i don't think you need a trust in place
Clint Jones

Thanks and sorry for the delay will be responding back to this question and need help still with the issue... Clint