Use Product Evaluation to understand and evaluate Forefront Threat Management Gateway (TMG). For a list of new features in the original version of this release, see What's new in Forefront TMG 2010 RTM. This article lists the problems that are fixed in Microsoft Forefront Threat Management Gateway 2010 Service Pack 2 (SP2). Service packs are cumulative. This means that the problems that are fixed in a particular service pack are also fixed in later service packs. 45 rows Oct 17, 2011 This article contains a list of Microsoft Knowledge Base. Forefront Threat Management Gateway 2010 is available for download in both Standard Edition and Enterprise Edition. Key: No key is required for this product. Tags: key product free working serial serial code license Forefront Threat Management Gateway 2010 threat management gateway. Nov 15, 2009 Welcome to the product documentation for Microsoft Forefront Threat Management Gateway (TMG) 2010. Forefront TMG is a comprehensive secure web gateway solution that helps to protect employees from web-based threats.
Forefront Threat Management Gateway 2010 allows employees to safely and productively use the Internet without worrying about malware and other threats. Forefront TMG 2010 Web Protection Services Licensing. Forefront Threat Management Gateway 2010 as my. It is required to reinstall TMG 2010.
Microsoft Forefront Threat Management Gateway 2010 management console | |
Developer(s) | Microsoft |
---|---|
Initial release | 1 January 1997 |
Stable release | |
Operating system | Windows Server 2008 |
Platform | x86-64 |
Available in | English, Chinese (Simplified), Chinese (Traditional), French, German, Italian, Japanese, Korean, Portuguese (Brazil), Russian and Spanish[2] |
Type | Router, firewall, antivirus program, VPN server, web cache |
License | Trialware |
Website | www.microsoft.com/tmg |
Microsoft Forefront Threat Management Gateway (Forefront TMG), formerly known as Microsoft Internet Security and Acceleration Server (ISA Server), is a network router, firewall, antivirus program, VPN server and web cache from Microsoft Corporation. It runs on Windows Server and works by inspecting all network traffic that passes through it.[4]
- 2History
Features[edit]
Microsoft Forefront TMG offers a set of features which include:[5]
- Routing and remote access features: Microsoft Forefront TMG can act as a router, an Internet gateway, a virtual private network (VPN) server, a network address translation (NAT) server and a proxy server.
- Security features: Microsoft Forefront TMG is a firewall which can inspect network traffic (including web content, secure web content and emails) and filter out malware, attempts to exploit security vulnerabilities and content that does not match a predefined security policy. In technical sense, Microsoft Forefront TMG offers application layer protection, stateful filtering, content filtering and anti-malware protection.
- Network performance features: Microsoft Forefront TMG can also improve network performance: It can compress web traffic to improve communication speed. It also offers web caching: It can cache frequently-accessed web content so that users can access them faster from the local network cache. Microsoft Forefront TMG 2010 can also cache data received through Background Intelligent Transfer Service, such as updates of software published on Microsoft Update website.
History[edit]
Microsoft Proxy Server[edit]
The Microsoft Forefront Threat Management Gateway product line originated with Microsoft Proxy Server. Developed under the code-name 'Catapult',[6] Microsoft Proxy Server v1.0 was first launched in January 1997,[7] and was designed to run on Windows NT 4.0. Microsoft Proxy Server v1.0 was a basic product designed to provide Internet Access for clients in a LAN Environment via TCP/IP. Support was also provided for IPX/SPX networks (primarily used in legacy Novell NetWare environments), through a WinSock translation/tunnelling client which allowed TCP/IP applications, such as web browsers, to operate transparently without any TCP/IP on the wire. Although well-integrated into Windows NT4,[8] Microsoft Proxy Server v1.0 only had basic functionality, and came in only one edition. Extended support for Microsoft Proxy Server v1.0 ended on 31 March 2002.[7]
Microsoft Proxy Server v2.0 was launched in December 1997,[9] and included better NT Account Integration, improved packet filtering support, and support for a wider range of network protocols. Microsoft Proxy Server v2.0 exited the extended support phase and reached end of life on 31 December 2004.[9]
ISA Server 2000[edit]
On 18 March 2001, Microsoft launched Microsoft Internet Security and Acceleration Server 2000 (ISA Server 2000).[10] ISA Server 2000 introduced the Standard and Enterprise editions, with Enterprise-grade functionality such as High-Availability Clustering not included in the Standard Edition. ISA Server 2000 required Windows 2000 (any edition), and will also run on Windows Server 2003. In accordance with Microsoft's Support Lifecycle Policy, ISA Server 2000 was the first ISA Server product to use the 10 year support lifecycle with 5 years of Mainstream support and five years of Extended support. ISA Server 2000 reached End of Life on 12 April 2011.[10]
ISA Server 2004[edit]
Microsoft Internet Security and Acceleration Server 2004 (ISA Server 2004) was released on 8 September 2004.[11] ISA Server 2004 introduced multi-networking support[clarification needed], integrated virtual private networking configuration, extensible user and authentication models, application layer firewall support, Active Directory integration, SecureNAT[clarification needed], and improved reporting and management features. The rules based configuration was also considerably simplified over ISA Server 2000 version.
ISA Server 2004 Enterprise Edition included array support, integrated Network Load Balancing (NLB), and Cache Array Routing Protocol (CARP). One of the core capabilities of ISA Server 2004, dubbed Secure Server Publishing, was its ability to securely expose their internal servers to Internet. For example, some organizations use ISA Server 2004 to publish their Microsoft Exchange Server services such as Outlook Web Access (OWA), Outlook Mobile Access (OMA) or ActiveSync. Using the Forms-based Authentication (FBA) authentication type, ISA Server can be used to pre-authenticate web clients so that traffic from unauthenticated clients to published servers is not allowed.
ISA Server 2004 is available in two editions, Standard and Enterprise. Enterprise Edition contains features enabling policies to be configured on an array level, rather than on individual ISA Servers, and load-balancing across multiple ISA Servers. Each edition of ISA Server is licensed per processor. (The version included in Windows Small Business Server 2000/2003 Premium includes licensing for 2 processors.)
ISA Server 2004 runs on Windows Server 2003 Standard or Enterprise Edition. Appliance hardware containing Windows Server 2003 Appliance Edition and ISA Server Standard Edition is available from a variety of Microsoft Partners.[12]
ISA Server 2006[edit]
Microsoft Internet Security and Acceleration Server 2006 (ISA Server 2006) was released on 17 October 2006.[13] It is an updated version of ISA Server 2004, and retains all features from ISA Server 2004 except Message Screener.
ISA Server 2006 introduced new features including:
- Support for Exchange Server 2007 (referred to as 'Exchange 12' in the Microsoft ISA Server 2006 Evaluation Guide)[14](p73)
- New configuration wizards for various tasks such as setting up a 'site-to-site VPN connection', publishing SharePoint services, publishing websites, creating firewall rules.[14](pp75,80)
- Introduction of single sign-on for groups of published web sites.[14](p82)
- Improvements to user authentication including the addition of LDAP Authentication support[14](p82)
- Resistance to flood attacks, to protect the ISA server from being 'unavailable, compromised, or unmanageable during a flooding attack.'[14](pp55,62-64,81)
- Performance features such as 'BITS Caching, Web Publishing Load Balancing and HTTP compression.[14](p84)
ISA Server Appliance EditionMicrosoft also offered ISA Server 2006 Appliance Edition. It was designed to be pre-installed onto OEM hardware (server appliances) that are sold by hardware manufacturers as a stand-alone firewall type device.[15] Along with Appliance Edition, ISA server 2006 Standard Edition and Enterprise Edition were available in preconfigured hardware.[14](p76)
Microsoft Forefront TMG MBE[edit]
Microsoft Forefront Threat Management Gateway Medium Business Edition (Forefront TMG MBE) is the next version of ISA Server which is also included with Windows Essential Business Server. This version only runs on the 64-bit edition of Windows Server 2008 and does not support Enterprise edition features such as array support or Enterprise policy. Mainstream support for Forefront TMG MBE ended on November 12, 2013.[16]
Microsoft Forefront TMG 2010[edit]
Microsoft Forefront Threat Management Gateway 2010 (Forefront TMG 2010) was released on 17 November 2009.[17] It is built on the foundation of ISA Server 2006 and provides enhanced web protection, native 64-bit support, support for Windows Server 2008 and Windows Server 2008 R2, malware protection and BITS caching. Service Pack 1 for this product was released on 23 June 2010.[18] It includes several new features to support Windows Server 2008 R2 and SharePoint 2010 lines of products.[19] Service Pack 2 for this product was released on 10 October 2011.[1] On 9 September 2012 Microsoft announced no further development will take place on Forefront Threat Management Gateway 2010 and the product will no longer be available for purchase as of 1 December 2012. Mainstream support ceased on 14 April 2015 and extended support will end on 14 April 2020.[3]
See also[edit]
References[edit]
- ^ ab'Download details: Microsoft Forefront Threat Management Gateway (TMG) 2010 Service Pack 2'. Microsoft Download Center. Microsoft corporation. 10 October 2011. Retrieved 17 November 2011.
- ^'Download Microsoft Forefront Threat Management Gateway 2010'. Microsoft corporation. Retrieved 26 March 2010.
- ^ ab'Important Changes to Forefront Product Roadmaps'. Microsoft TechNet. Microsoft Corporation. 12 September 2012. Archived from the original on 18 October 2012. Retrieved 22 September 2012.Cite uses deprecated parameter
|deadurl=
(help) - ^'Forefront Threat Management Gateway: Overview'. Microsoft. Retrieved 1 March 2010.
- ^'Forefront Threat Management Gateway: Features'. Microsoft corporation. Retrieved 1 March 2010.
- ^'Microsoft Ships Proxy Server 1.0'. News Center. Microsoft. 29 October 1996. Archived from the original on 26 October 2012. Retrieved 10 June 2017.
- ^ ab'Microsoft Support Lifecycle'. Retrieved 5 June 2007.
- ^'Microsoft ISA Server'. Retrieved 5 June 2007.
- ^ ab'Microsoft Support Lifecycle: Proxy Server 2.0 Standard Edition'. Retrieved 5 June 2007.
- ^ ab'Microsoft Support Lifecycle ISA 2000'. Retrieved 9 March 2009.
- ^'Microsoft Support Lifecycle ISA 2004'. Retrieved 9 March 2009.
- ^'Deploy ISA Server and IAG in Minutes with Hardware Solutions'. Retrieved 5 June 2007.
- ^'Microsoft Support Lifecycle ISA 2006'. Retrieved 9 March 2009.
- ^ abcdefg'Microsoft ISA Server 2006 Evaluation Guide'. Microsoft. July 2006. Archived from the original(DOC) on 30 August 2006. Retrieved 31 August 2018.Cite uses deprecated parameter
|dead-url=
(help) - ^'Internet Security and Acceleration Server: hardware partners'. Microsoft. Archived from the original on 30 January 2009. Retrieved 21 January 2009.Cite uses deprecated parameter
|dead-url=
(help) - ^http://support.microsoft.com/lifecycle/search/default.aspx?sort=PN&alpha=forefront&Filter=FilterNO
- ^'Forefront Threat Management Gateway 2010 Release'. Forefront TMG (ISA Server) team blog. Microsoft corporation. 17 November 2009. Retrieved 26 March 2010.
It is our pleasure to announce that Forefront Threat Management Gateway (TMG) 2010 was released to manufacturing yesterday (Nov 16th, 2009) [~snip~]
- ^'Download details: Microsoft Forefront Threat Management Gateway (TMG) 2010 Service Pack 1'. Microsoft Download Center. Microsoft corporation. 23 June 2010. Retrieved 15 July 2010.
- ^'What's new in Forefront TMG 2010 SP1'. Microsoft TechNet. Microsoft Corporation. 15 June 2010. Retrieved 15 July 2010.
External links[edit]
Update: As of September 2011, Microsoft has discontinued Forefront. For more information on how to protect your Microsoft environment, check out our Managed Service and Cloud Consulting services.
Microsoft Forefront Threat Management Gateway 2010 (TMG) is designed to provide a comprehensive, secure Web gateway that helps protect employees from Web-based threats.
URL Filtering
Destination URLs are examined for compliance with corporate policy and for malicious potential of destination Web site. Forefront TMG uses Microsoft Reputation Services for URL filtering, combining multiple sources to increase coverage of URLs and categorization.
URLs and categories will increase as the Forefront TMG Beta 3 continues through Summer 2009.
Web antivirus/anti-malware protection
Inbound and outbound Web traffic is inspected for viruses and malware, including archived folders. Encrypted folders can be blocked. For large files, users are trickled the file to assure them the file is being downloaded.
E-mail security
Forefront TMG provides central management for Exchange and Forefront Protection 2010 for Exchange when located on the same server. Forefront TMG does not include either Exchange or Forefront Protection 2010 for Exchange. Both must be purchased and installed separately.
HTTPS inspection
HTTPS-encrypted sessions can be inspected for malware or exploits. Specific groups of sites—such as banking sites—can be excluded from inspection for privacy reasons. Users of the TMG Firewall Client can be notified of the inspection.
Network Inspection System (NIS)
Traffic can be inspected for exploits of Microsoft vulnerabilities. Based on protocol analysis, NIS enables blocking of classes of attacks while minimizing false positives. Protections can be updated as needed.
Enhanced Network Address Translation (NAT)
Forefront TMG now enables you to specify individual e-mail servers that can be published on a 1-to-1 NAT basis.
Enhanced Voice over IP support
Forefront TMG includes SIP traversal, enabling simpler deployment of Voice over IP within the network.
Windows Server 64-bit support
Forefront TMG is installed on Windows Server 2008 with 64-bit support.
Feature
Description
Forefront Threat Management Gateway Discontinued
Multi-layer firewall
Forefront TMG provides access control and protection on three layers: packet filtering, stateful inspection, and application layer filtering.
Application layer filtering
Forefront TMG provides deep content filtering through built-in application filters.
Granular HTTP controls
Forefront TMG delivers customizable, granular controls to HTTP traffic, including:
– File download controls
– Signature-based blocking
– HTTP method controls
Forefront TMG provides strong controls over Web-based threats.
DoS protections
Forefront TMG provides resiliency against flood attacks and re-allocates resources to provide higher security inspection.
Extensive protocol support
Forefront TMG delivers out-of-the-box support for many protocols. New protocols can be defined.
Feature
Description
Highly secure e-mail access from Outlook Client
Remote users can access Exchange Server using the full Outlook MAPI client over the Internet without establishing a VPN connection. The connection is encrypted for security.
Simple Outlook Web Access and Microsoft Office SharePoint Server publishing
Simple wizards allow quick configuration of remote access for both Outlook Web Access and SharePoint servers. Outlook Web Access users can be authenticated at the Forefront TMG server, preventing attacks by unauthenticated users.
Highly secure publishing of Web servers, internal servers, and Terminal Services
Remote users can access internal resources or Web servers more securely. Link translation is provided.
Single sign on
Forefront TMG allow users to access a group of published Web sites without being required to authenticate with each Web site.
Delegation of basic authentication
Forefront TMG helps protect published Web sites from unauthenticated access by requiring the Forefront TMG firewall to authenticate the user before the connection is forwarded to the published Web site. This prevents exploits from unauthenticated users from reaching the published Web server.
Link translation to internal servers
Forefront TMG includes a link translation feature that you can use to create a dictionary of definitions for internal computer names that map to publicly known names.
Implements link translation automatically during Web publishing.
SSL bridging support
To guard against embedded attacks in HTTP traffic, SSL bridging allows SSL protected packets to be decrypted by Forefront TMG, inspected, and re-encrypted.
Feature
Description
Site-to-site VPN
Forefront TMG enables quick connectivity between sites via wizard-based approach. Also can be configured for tunnel-mode IPSec for support of third party devices.
Remote access VPN
Forefront TMG provides termination of L2TP/IPSec and PPTP VPN sessions, using the native Windows VPN services.
Inspection of VPN traffic
VPN traffic terminated on the Forefront TMG server is inspected according to the appropriate security policy.
VPN quarantine
Forefront TMG provides deep VPN client inspection and integration of your firewall policy.
SecureNAT for VPN clients
Forefront TMG helps ensure remote users connected to the network can gain Internet access while maintaining a strong security policy for the corporate network.
Publish VPN servers
Forefront TMG can be used to publish internal Windows Servers as VPN servers.
Feature
Description
Enterprise policy
Policy can be assigned to gateways, arrays, or enterprise-wide.
Easy-to-use wizards
Forefront TMG simplifies configuration with multiple wizards for features such as Web publishing, Web access, and array configuration.
Real-time monitoring and reporting
Logs may be viewed real-time or historically – including active sessions.
Query building
With a built-in query tool, historical data can be found quickly. Complex queries can be built.
Report creation and publishing
Reports can be designed for specific needs and then published locally or to a network file share.
External logging
Logs may be sent to a Microsoft SQL Server located on the internal network.
Delegated permissions
Admin roles can be delegated to users or groups.
Feature
Description
Network load balancing
Forefront TMG leverages network load balancing to provide fail over and scaling of performance.
Network-based configuration
You may configure one or more networks, each with distinct relationships to other networks. Access policies are defined relative to the networks and not necessarily relative to a specific internal network. Forefront TMG extends the firewall and security features to apply to traffic between any networks or network objects.
Caching
Forefront TMG provides caching to improve user experience and reduce bandwidth costs. With the centralized cache rule mechanism of Forefront TMG, you can configure how objects stored in the cache are retrieved and served from the cache.
Background Intelligent Transfer Service (BITS) caching
Forefront TMG provides the caching mechanism for data received through BITS. Any cache rule that you create can be enabled to cache BITS data.
HTTP compression
You can reduce file size by using algorithms to eliminate redundant data during transmission of HTTP packets.
Diffserv (Quality of Service)
Forefront TMG includes packet prioritization functionality (provided by the Diffserv Web filter), which scans the URL or domain and assigns a packet priority using Diffserv bits.
URL Filtering
Quick Introduction
URL Filtering allows controlling end-user access to Web sites, protecting the organization by denying access to known malicious sites and to sites displaying inappropriate or pornographic materials, based on predefined URL categories.
The typical use case for this feature includes:
- Enhancing your security
- Lowering liability risks
- Improving the productivity of your organization
- Saving network bandwidth
The URL Filtering administration experience is pretty straightforward. All you need to do after enabling the feature is add one or more of the predefined URL categories into Forefront TMG policy (you can find some UI snapshots further below). Once this is done, end-users browsing to a Web site included in one of those categories will be blocked and presented with a relevant notification page, which you can customize.
Additional value can be obtained from URL Filtering related reports and log entries. Have you ever wanted to understand how Web usage in your organization is distributed? And how about identifying those users who consistently violate your Web usage policy? You can do those easily now by looking at the built-in URL filtering reports.
Finally, URL Filtering categories can also be leveraged to exclude sites from being inspected by the HTTPS Traffic inspection and the Malware Inspection features. For instance, you may wish to exclude financial sites from HTTPS inspection, due to privacy considerations.
Before going into further details, note that the feature is still in Beta, so we do expect significant improvements in coverage and accuracy by the final TMG release.
URL categorization data, where does it come from?
TMG features over 80 URL categories ranging from security-oriented selections, like Phishing, Maliciousand Anonymizers, through productivity-oriented categories such as Games, or Instant Messaging, and ending with liability-oriented categories like Criminal Activities and Pornography. Categories are also grouped into a higher-level hierarchy which we call Category Sets. The latter can also be used in TMG policy to simplify configuration.
As some of you may have noticed, at the RSA 2009 Conference Microsoft announced its new reputation services and its intention to provide these capabilities for our security products and solutions. Microsoft also announced several key partnerships in the URL filtering space that will be used to support these reputation services. Forefront TMG will be the first system at Microsoft to leverage and utilize Microsoft Reputation Service (MRS).
MRS is a cloud-based object categorization system hosted in Microsoft data centers and designed to provide comprehensive reputation content to enable core trust scenarios across Microsoft solutions. In the case of Forefront TMG, in order to find out the category of a URL, TMG issues an online query to MRS. MRS maintains a database with tens of millions of unique URLs and their respective categories.
Does this mean every end-user request is sent out to the cloud? No it doesn’t. To improve bandwidth utilization and performance, we have implemented a local cache (residing on a TMG server), that stores the recently queried URLs and their respective categories. Cache entries are subject to a time-to-live value, allowing refreshing the entry periodically. This local cache is expected to serve the overwhelming majority of user requests. The cache is persistent so it doesn’t need to be refreshed after each reboot. TMG will query MRS only when a request cannot be served from the local cache.
But that’s only the tip of the iceberg. Read on to find out why we think we are building something special with TMG and MRS together.
What is so special about Microsoft Reputation Service (MRS)?
The MRS team wanted to confront an inherent problem with traditional URL Filtering solutions: the problem domain is simply too large for any single vendor to provide a complete solution on its own. As a result, there are multiple vendors out there, each one specializing in a specific area of the solution.
Some vendors specialize in identifying malicious sites and spam URLs; others are rich with productivity related categories. Some specialize in covering the Internet’s “long tail”; others are great with quick classification of previously unknown sites. Some use human-based classification where others use machine-based techniques. Some are great with Web2.0 style URLs… OK, I’ll stop here as you get the idea by now. Even those vendors who employ several classification techniques and cover multiple categories can’t deal with the huge and ever-expanding challenges of today’s Web.
MRS team’s idea was simple; let’s leverage complementary capabilities of different vendors/sources to create a unified database that is best suited to deal with the challenges described above. And so, they have implemented a scalable architecture that allows incorporating multiple streams of data into a merged database. This way – each vendor/source brings its unique strengths to the table into a common solution.
MRS already integrates several data sources and others will be on-boarded in the following months. Some of these data sources are Microsoft internal, and others are the result of collaboration with 3rdparty partners. One such agreement, announced during RSA, is an agreement with Marshal8e6. Other agreements have not been disclosed yet. Expect some surprises…
But the real beauty is that being a Web service, and given its unique architecture, MRS can easily incorporate new DBs completely transparently to the customers. We expect the MRS unified database to expand over time and become the recognized industry leader. TMG customers will benefit naturally from this ongoing upgrade, through our Web security subscription services.
Other interesting aspects – security, privacy, licensing
Forefront Threat Management Gateway Price
Security – Both Forefront TMG URL Filtering and MRS were designed with security in mind, following Microsoft’s Security Development Lifecycle (SDL) strict standards and guidelines. Both are resilient to a variety of attacks, and the communication between the two is encrypted.
Privacy – this is a known concern when discussing cloud based services, and therefore the privacy of our customers’ data is paramount. We are issuing detailed privacy statements along with the Beta 3 release to provide clarity and transparency on our privacy policies. Make sure to read those.
Licensing – URL Filtering is subscription based, and is part of the Forefront TMG Web Security Service license (together with the Malware Inspection updates).
The small (but important) things
As this is a high-level overview of the feature, we will not dive into all the small details that make for a complete, rich user experience. We will cover some of those in subsequent posts, as we go along. But here are few examples for flexibility you are likely to need/want when working with URL Filtering:
- You can locally override a URL category
- You can query for a URL’s category in the TMG UI
- You can customize the block page displayed to end-users, introducing your own HTML tags into the text area.
- You can leverage URL Filtering for ad blocking
- You can use the build-in TMG scripting capabilities to allow non-TMG administrators to locally override a URL (enabling advanced help-desk scenarios)
- You can use URL Filtering related reports to figure out how your organization uses the Internet (which are the top browsed categories for instance)
ü You can report classifications issues to Microsoft (this one is not available in Beta3)
A sneak peek at the UI
TMG Web Access Wizard allows you to easily introduce URL categories into your policy:
This is how the policy may look like after completing the Web Access Wizard (viewed from the Web Access Protection node). Note that URL Categories are standard TMG network objects, so you can use the toolbox on the right to drag-drop additional categories into an existing rule, or to create new rules.
You can query for a URL’s category (available as a task in the Web Access Protection node)
You can locally override a URL’s category (available as a task in the Web Access Protection node)
You can customize the block page presented to end users, introducing your own HTML tags (this is a per-rule setting available from the ‘Action’ tab of the rule’s properties)
Read the whole article @> Infrastructure Tek Bits : Microsoft Threat Management Gateway (TMG) 2010 – Key Features & Capabilities
Please check us out for your Managed Service or Cloud Consulting needs.