The TMG is one of the several pieces of software that comprise the Forefront Stirling collection of products.

You can download all of the them, or just the TMG. The TMG will work fine without Stirling, but Stirling is something that you definitely want to get to know about in the future. Double click the file you downloaded. Youll see the Welcome to the Welcome to the InstallShield Wizard for the Forefront Threat Management Gateway page. Click Next .

Figure 1 Install the files to the default location, which is C:\Program Files (x86)\Microsoft ISA Server. Click Next .

Figure 2 The files will be extracted to that location.

Figure 3

Click Finish when the extraction finishes.

Figure 4 Go to the C:\Program Files (x86)\Microsoft ISA Server folder and double click the ISAAutorun.exe file.

Figure 5 This opens up the Microsoft Forefront TMG 270-Day Evaluation Setup dialog box. Click the Install Forefront TMG link.

Figure 6 This bring up the Welcome to the Installation Wizard for Microsoft Forefront Threat Management Gateway page. Click Next .

Figure 7 On the License Agreement page, select the I accept the terms in the license agreement option and click Next. Notice that license agreement still contains the old code name of the product, which was Nitrogen.

Figure 8 On the Customer Information page, enter your User Name and Organization. The Product Serial Number will be filled in for you. Click Next .

Figure 9 Here we see a new setup option that wasnt available in previous version of the product. On the Setup Scenarios page, you have the option to install the Forefront TMG or install only the TMG Management console. In this example were installing the entire product, so well select Install Forefront Threat Management Gateway and click Next.

Figure 10 On the Component Selection page, you have the options to install the TMG firewall software, the TMG management console, and the CSS. Yes, you guess it. There are no more Standard and Enterprise editions of the ISA firewall. The TMG will be sold as a single edition and this single edition uses the CSS, even if you have only a single member TMG array. However, you will be able to create arrays using the TMG. However, that functionality is not available with this version of the TMG and will be available in later betas. In this example well install all of these options in the default folder (we need to install in the default folder for this version of the TMG). Click Next.

Figure 11 It looks like I have a problem here. While the machine is a member of the domain, I forgot to log on with a user account that is a domain member. In order to install the TMG, you must be logged on as a domain user that has local administrator privileges on the TMG machine.

Figure 12 Looks like Im going to have to restart the installation. Well pick up where we left off after I log off and log on again and restart the installation.

Figure 13 Now that Im logged on as a domain user with local admin privileges, we pick up the installation process on the Internal Network page. If youre installed the ISA Firewall, youll recognize this page from previous version of the ISA Firewall. This is where you define the default Internal network. In almost all cases you should select the Add Adapter option, since this will define your default Internal network based on the routing table configured on the ISA Firewall. However, one thing I dont know is if I change the configuration of the routing table on the ISA Firewall if the definition of the default Internal Network will automatically change. Ill bet a quarter that it doesnt, but its something well have to check into in the future.

Figure 14

The Internal Network page now shows the definition of the default Internal Network. Click Next.

Figure 15 The Services Warning page informs you that the SNMP Service, the IIS Admin Service, the World Wide Web Publishing Service and the Microsoft Operations Manager Service will all be restarted during the installation. Its unlikely that youll have already installed the Web server role on this machine, so you dont need to worry about the IIS Admin Service or the World Wide Web Publishing Service, but you should be aware of the SNMP and Microsoft Operation Manager Service restart. Remember, TMG will install and configure IIS 7 for you.

Figure 16 Click Install on the Ready to Install the Program page.

Figure 17

The progress bar shows you the installation progress. Here you can see the CSS being installed.

Figure 18 It worked! The Installation Wizard Completed page shows the installation has completed successfully. Put a checkmark in the Invoke Forefront TMG Management when the wizard closes checkbox. Click Finish.

Figure 19 At this point youll see the Protect the Forefront TMG Server Web page. Here youre provided information on turning on Microsoft Update, running the ISA BPA, and reading the Security and Protection section in the Help file. One thing I can tell you about the Help File so far is that theyve done a fantastic job at upgrading its content. There is much more information, and much more real world deployment information included with the new and improved Help File. I recommend that you spend some time reading the Help file. I guarantee that even if youre a seasoned ISA Firewall admin, the TMG Help File is going to provide you some new insights.

Figure 20 After the initial installation is complete, youll see the new Getting Started Wizard . The Getting Started Wizard is new with the TMG and wasnt available in the previous versions of the ISA Firewall. There are three basic wizards included in the Getting Started Wizard, and an optional fourth one that well see when we finish the first three. The first wizard is the Configure network settings wizard. Click the Configure network settings link on the Getting Started Wizard page.

Figure 21 On the Welcome to the Network Setup Wizard , click Next.

Figure 22 On the Network Template Selection page, select the network template that you want to apply to the TMG. These are the same network templates that were available with previous versions of the ISA Firewall. Click on each of the options and read the information provided on the lower part of the page. In this example, well use the preferred template, which is the Edge firewall template. Click Next.

Figure 23 On the Local Area Network (LAN) Settings page, you are given the opportunity to configure IP addressing information on the LAN interface. First, you select the NIC that you want to be the LAN interface on the ISA Firewall by clicking the drop down menu for Network adapter connect to the LAN . The IP addressing information for this NIC will appear automatically. You can make changes to the IP addressing information here. Also, you can create additional static routes by clicking the Add button. One thing I dont know is what changes on this page will do to the definition of the default Internal Network. Suppose I configured the default Internal Network to be 10.0.0.010.0.0.255 but then decided to change the IP address on the internal interface on this page so that the was on a different network ID. Will the definition of the default Internal Network change? What if I add a static route on the internal interface of the TMG? Will these change be reflected in the definition of the default Internal Network? I dont k now, but its something to investigate in the future. I wont make any changes on this page as I had already set up the internal interface with the IP addressing information I required. Click Next.

Figure 24 The Internet Settings page allows you to configure IP addressing information on the external interface of the TMG firewall. Like the last page, you select the NIC that you want to represent the external interface by clicking the Network adapter connected to the Internet drop down list. Also like the last page, you can change the IP addressing information. Since I already configured the external interface with the IP addressing information I wanted it to have, Ill make no changes here. Click Next .

Figure 25 The Completing the Network Setup wizard page shows you the results of your changes. Click Finish.

Figure 26 This takes you back to the Getting Started Wizard page. The next wizard is the Configure system settings wizard. Click the Configure system settings link.

Figure 27 Click Next on the Welcome to the System Configuration Wizard page.

Figure 28 The Host Identification page asks you about the host name and domain membership of the TMG firewall. In this example, it has automatically detected the host name of the machine, which is TMG2009. The wizard has also identified the domain membership of the machine. I suspect that this wizard will allow you to join a domain if you havent yet done so, and to leave the domain if you want to. Also, if the machine is a workgroup member, you have the opportunity to enter a primary DNS suffix that the ISA Firewall can use to register in your domain DNS, if you have DDNS enabled and you dont require secure DDNS updates. Since I have already configured this machine as a domain member, I dont need to make any changes on this page. Click Next.

Figure 29 Thats it for the System Configuration Wizard . Click Finish on the Completing the System Configuration Wizard page.

Figure 30 One more wizard on the Getting Started Wizard page. Click the Define deployment options link.

Figure 31 Click Next on the Welcome to the Deployment Wizard page.

Figure 32 On the Microsoft Update Setup page, you have to the options Use the Microsoft Update service to check for updates and I do not want to use Microsoft Update Service . Note that not only does the TMG use the Microsoft Update service to update the OS and the TMG firewall software, it also uses it to check for malware definitions, which is does several times a day (by default, every 15 minutes). Since one of the major advantages of using an Microsoft firewall over other firewalls is the excellent auto-update feature, well go ahead and using the Microsoft Update site. Click Next .

Figure 33 On the Definition Update Settings page, you select whether you want the TMG firewall to check and install, check only or do nothing with malware inspection updates. You can also set the polling frequency, which is set at every 15 minutes by default. However, you can set the updates to be downloaded once a day, and then configure the time of day when you want those updates installed. Click Next.

Figure 34 On the Customer Feedback page, choose whether or not you want to provide anonymous information to Microsoft on your hardware configuration and how the product is used. No information shared with Microsoft can be used to identify you, and no private information is released to Microsoft. I figure I share my name, birth date, social security number, drivers license number and address with my bank, and I trust Microsoft a lot more than I trust my bank, given the banks requirements to share information with the Federal Government. So sharing this technical information with Microsoft is a no-brainer, and it helps make the product more stable and secure. Select Yes, I am willing to participate anonymously in the Customer Experience Improvement Program (recommended) option.

Figure 35 On the Microsoft Telemetry Service page, you can configure your level of membership in the Microsoft Telemetry service. The Microsoft Telemetry Service helps protect against malware and intrusion by reporting information to Microsoft about potential attacks, which Microsoft uses to help identify attack patterns and improve precision and efficiency of threat mitigations. In some instances, personal information might be inadvertently sent to Microsoft, but Microsoft will not use this information to identify or contact you. Its hard to determine what kind of personal information might be sent, but since Im in the habit of trusting Microsoft, Ill select the Join with an advanced membership option. Click Next .

Figure 36 The Completing the Deployment Wizard page shows the choices you made. Click Finish.

Figure 37 Thats it! Youre done with the Getting Started Wizard. But that doesnt mean that youre done. If you put a checkmark in the Run the Web Access wizard checkbox, the Web Access Wizard will start. Lets put a checkmark there and see what happens.

Figure 38 This starts the Welcome to the Web Access Policy Wizard . Since this is a new way of creating TMG firewall policies, I think well wait until the next arti cle to get into the details of this wizard. It seems that the TMG will allow you to configure Web Access Policy in a way thats a bit different than how we did it with previous versions of the ISA Firewall, so I want to make sure we have an article dedicated to this feature.

Figure 39 Now that installation is complete, we can see the new console. If you look at the left pane of the console, youll see that there arent any nested nodes, which makes navigation a bit easier. Also, we see a new node, the Update Center node. This is where you can get information about updates to the anti-malware feature of the TMG, and also find out when the malware updates where installed.

Figure 40 After installation completed, I found that there were some errors. But this might be related to the fact that the TMG didnt work at all after the installation was complete. I was able to solve this problem by restarting the computer. Im not sure if there is related to running the TMG firewall on VMware Virtual Server, or if this is a beta bug.

Figure 41 Taking a look at the Initial Configuration Tasks you can see that a number of roles and services were installed on this computer as part of the TMG installation. These include:

Active Directory Lightweight Directory Services (ADAM) Network Policy and Access Services (required for RRAS and VPN) Web Server (IIS) (required for SQL reporting services and TMG reporting) Network Load Balancing Services (required for NLB support) Remote Server Administration Tools (dont know why these were installed) Windows Process Activation Service (most likely secondary to the Web server role requirements)

Figure 42