I love new things, and I am excited about coming into this new position just in time to introduce a new product: Microsoft's Threat Management Gateway 2010 EE RTM. In this article, we'll start at the beginning, with how to how to install TMG 2010 EE RTM.
Of course, the real beginning is the planning phase, where you determine what the hardware requirements are going to be, and what role the TMG firewall is going to play on your network. However, if you're new to the TMG firewall, you probably just want to get it installed and see what it looks like. Planning for deployment can take place later if you decide you like what you see, and we'll address that in a later article. Meanwhile, this is the first of a two-part piece that will guide you through the installation process and point out potential "gotchas" that you might encounter along the way.
Let us get started!
As always, the first step is to make sure your hardware meets the minimum requirements, which you can find here.
Many of you will be doing this initial installation for testing and evaluation purposes. So we will install the RTM release of the TMG firewall in a virtual machine, and the VM will have two network interfaces:
- An external interface, which is bridged to the production network that allows it to connect to the Internet, and
- An internal interface that only allows it to connect to other virtual machines.
In this example, the only other virtual machine is a domain controller, and the TMG firewall belongs to the same domain as the domain controller.
This is going to be a "vanilla" install. The only thing we have done in advance is join the TMG virtual machine to the domain and then installed Windows Updates. I have not installed any Exchange components or any other "out of band" software. Our goal is to do what most admins will do - install the software in an "out of the box" configuration and then try to make it do what we want it to do as we learn more about the product.
NOTE:One thing that you should know before we get started is the DNS configuration on the TMG VM's NICs. Because you should never (well, almost never) include an external DNS server on any of the firewall's NICs, I have configured the external interface with no DNS server setting, and the internal interface with the IP address of the internal DNS server, which is also a domain controller. This is going to cause some issues that I'll take about later when we run into them.
Here is a simple network diagram of what I am working with right now and for this article:
The first step is to download the evaluation version of the software. At this time, TMG is not available on MSDN, but you can download an evaluation here.
After you get the file downloaded, double click on it and it will unpack the files. After the files are unpacked, you will see the Welcome to Microsoft Forefront TMG page. This looks a bit different compared to what we saw with the ISA firewall and it includes some welcome new options. Notice the Prepare and Install section - now you can run Windows Updates from the installation page. We already did that, so we don’t need to do it now. Another new option, Run Preparation Tool, is one that we will use. Click that one now.
It’s clear that the TMG developers had large monitors when they created this interface. The dialog boxes are huge. I suppose that makes it nice for both the devs and the users – but makes it a bit of a pain for writers who have limited horizontal space for screenshots J
On the Welcome to the Preparation Tool for Microsoft Forefront Threat Management Gateway (TMG) page, click Next.
On the License Agreement page, put a checkmark in the I accept the terms of the License Agreements checkbox and click Next. Here you are accepting the license agreements for the Microsoft Chart Controls for Microsoft .NET Framework 3.5 and 3.5 SP1 and Microsoft Windows Installer 4.5.
On the Installation Type page, you have three options:
- Forefront TMG services and Management
- Forefront TMG Management only
- Enterprise Management Server (EMS) for centralized array management
The new TMG makes it easier than ever to work with TMG EE, in contrast to the complexity of EE management with the ISA firewall. That is why we are installing EE in this article series – to show that you can get EE installed easily. Later we’ll create a standalone array and then we will take down the standalone array and create an enterprise array. It’s easy and fun! But first, let’s just handle the basics and select the Forefront TMG services and Management option. Click Next.
On the Preparing System page, you will see installation progress for the prerequisite software.
The Preparation Complete page shows that the prerequisite software was installed successfully.
Now the Welcome to the Installation Wizard for Forefront TMG Enterprise page appears. Click Next to start installing TMG EE.
On the License Agreement page, select the I accept the terms in the license agreement option and click Next.
Enter your customer information (user name, organization name and product serial number) on the Customer Information page and click Next.
On the Installation Path page, you can use the default path or choose your own path in specifying the location where you want to install the TMG firewall’s files. In this example, we’ll use the default path and click Next.
Ah, now here is a blast from the past - the Define Internal Network page. For the TMG firewall, as for the ISA firewall, the default Internal Network is where your core infrastructure services are contained; these include Active Directory, DNS, DHCP and WINS. You can change this definition later if you like, but we need to be able to access these resources during installation, so we have to define the default Internal Network now.
Click the Add button on the Define Internal Network page. This brings up the Addresses dialog box. There are several ways to add the addresses for the default Internal Network, but my preferred method is to use the Add Adapter approach. Click Add Adapter.
On the Select Network Adapters dialog box, select the LAN NIC (or whatever name you have defined for that NIC) and then put a checkmark in the checkbox for that NIC. Make sure the information in the Network adapter details section accurately reflects the details of the NIC you selected. Then click OK.
The addresses associated with the internal NIC now appear in the Addresses text box. These addresses are based on routing table entries on the firewall - if you have not configured routing table entries on the firewall yet, these addressees might not be entirely correct, but it’s something that we can fix later, which you’ll see as we move through the installation process.
Click Next on the Define Internal Network page.
As with the installation of the ISA firewall, a number of services will need to be restarted or disabled when you’re installing the TMG firewall. In this case, these include:
- SNMP service
- IIS Admin service
- WWW Publishing Service
- Microsoft Operations Manager Service
TMG is not saying that these are currently installed – it’s just telling you that if they are installed, they’ll be disabled or restarted.
Click Install on the Ready to Install the Program page.
A progress bar shows your progress in the installation.
Another dialog box will appear and give you more information about how long things are going to take. Notice that these are estimated figures; despite the numbers you see here, it took almost 30 minutes for installation to complete for me. This might be related to DNS issues, which I'll discuss later.
Now the Installation Wizard has competed and you might think you’re finished. In the past, with the old ISA firewall, this would have been it. The next step would have been to go into the ISA firewall console and get to configuring Networks, Access Rules, and other components to get the thing working. But with TMG, you’re not quite done yet.
If you select the Launch Forefront TMG Management when the wizard closes, there will be a set of three more wizards that make it possible to get up and running at the end of the installation process.
Because these wizards are new, and we’re at the end of our word count for this article, we’ll save our discussion of the new installation wizards for the next article in this two part series. Hopefully this will whet your appetite for what comes next.
In this article, we started off by explaining that we would install
the new TMG 2010 EE firewall in a plain vanilla configuration. The only
settings on the TMG firewall VM are the DNS settings, and the firewall
VM has been joined to the domain before beginning the installation of
the firewall software. Next we launched the installation processes,
configured the default Internal Network, and let the installation
complete. In the next installment of this series, we’ll complete the
installation of the firewall by going through the three new wizards that
are nested in a new Getting Started Wizard. See you then! - Deb.
isaserver : منبع