Forefront Threat Management Gateway 2010 Enterprise - Step by Step

I need help with the installation and setup of Microsoft Forefront Threat Management Gateway 2010 Enterprise:


- Running 2008 R2:
- It is at the point of just being in a work group and has not moved forward till the next step is explained.  
- TMG 2010 is standing by for install.

I need help with install & setup, Help with the most pressing issue is the active directory vs. Work Group setup.

:::  My network consists of the 5 servers, 3 laptops (Wireless) and 2 desktops and then the Firewall (TMG 2010):

The 4 Servers are for use external clients ranging from email, web and Share Team.

Only one server is going to be used for internal server use. Which an active directory resides but at the moment the laptops and PC's are not using active directory but would like to utilize it soon.

From what I see I have to make the Firewall: TMG 2010  a member server of an already Active Directory Domain Controller in the same Forest etc.

Join the Firewall to the DC controller before I can go further,

Question is can the firewall be its own domain controller in its own domain and be added to another domain controller either in the same forest or a different forest with 2 way trusts setup.

Putting it into work group mode seems to have a many limitations or features that just want be available.

Help with this initial part will be very appreciated.  Please explain as much as possible.
Clint JonesAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Are you aware that TMG 2010 is the latest version and will not be upgraded to newer versions? If you are NOT aware you might consider an alternative since at this point TMG 2010 is quite near from DOA.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
to answer the question first
you should add to a domain
do not make the TMG server a Domain controller on its own
this means you can easily do proper authentication and control

as the previous comment say TMG has been end of lifed by microsoft

what are you planning on using it for web proxy or reverse proxy?

MS have reverse proxy options

there are a lot products that will do a web proxy for user browsing
Clint JonesAuthor Commented:
Thank you for your response but I am very aware that MS Forefront TMG has been deprecated.  I am aware of what 2 directions MS is taking forefront and that they have implement protection within their products ie exchange 2013 etc and discontinue TMG according...

However, I looking for help with the original question above... And to add to irweazelwalllis that you can not make a TMG a domain controller will not allow it... I am very familar with ISA 2006 but TMG 2010 only so much...

TMG is going to be the firewall and NAT:  Exchange, Lync and Shareteam 2013 will be behind the firewall.  As well as the office server and PC / laptops...

Ms TMG 2010 is obtained and we are on a server budget so I have to go with this product...

Unless you have some other suggests I need help with this please...
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Clint JonesAuthor Commented:
Just to restate the setup:  

Firewall:  MS forefront TMG 2010 on Windows 2008 R2 with 2 NICS

What is behind the firewall;

Server001: MS Server 2012 / Exchange 2013 / Domain Controller: Geek001
Server002: MS Server 2012/ Lync 2013 / Domain Controller: Geek002
Server003: MS Server 2012/ Shareteam 2013 / Domain Controller: Geek003

Server004: MS Server 2012/ Web Only IIS8.0 / Domain Controller: Geek004
Server005: MS Server 2012/ Office Server / Domain Controller: Geek005

PC's, Laptop's, and other devices...

So I am guessing I am guessing I will have to make TMG part of Geek005 domain but how it affect the other domains and other users... Other servers will all be web based access and the PC's will be tied to the Geek005 server??

I need to start the install of TMG because its not secured here and I need the NAT of the 5 static IP address to be sent thur the firewall... is shareteam 2013 work ok with tmg 2010???

Thanks for any and all help...
Is Geek001-5 each a different domain?

to make life easy for the web proxy part i.e. for users browsing through it i would add it to your users domain
If you have users in multiple domains then you will need trusts in to enable you to create user\group controlled ACL for browsing\internet access

Ideally for a reverse proxy you should have a seperate TMG in a workgroup\DMZ domain to publish OWA
But if you are doubleling up roles then for reverse proxy i.e. publishing exchagne and sharepoint it should be fine in that domain as well i don't think you need a trust in place
Clint JonesAuthor Commented:
Thanks and sorry for the delay will be responding back to this question and need help still with the issue... Clint
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.