One of the features of Forefront TMG is the support for several clients which are used to connect to the Forefront TMG Firewall. One of the client types is the Microsoft Forefront TMG client, which is also known as a Winsock client for Windows operating systems. Using the TMG client has several enhancements compared to the other clients (Web proxy and Secure NAT). Forefront TMG client can be installed on several Windows client and server operating systems (which I do not recommend, except Terminal Servers), which are protected by Forefront TMG 2010. Forefront TMG Client provides HTTPS inspection notifications (used with TMG 2010), automatic discovery, enhanced security, application support, and access control for client computers. When a client computer running Forefront TMG Client makes a Firewall request, the request is directed to the Forefront TMG 2010 computer for further processing. No specific routing infrastructure is required because of the Winsock process. Forefront TMG Client sends user information transparently with each request, enabling you to create a firewall policy on the Forefront TMG 2010 computer with rules that use the authentication credentials forwarded by the client, but only based on TCP and UDP traffic. For all other protocols you must use a Secure NAT client connection. For a list of reasons for using the TMG client read Tom Shinders article on www.ISAserver.org:
In addition to the following standard features of previous Firewall clients, the TMG client supports:
- HTTPS inspection notification
- AD Marker support
Standard features of the TMG client
- User or group based Firewall policies for Web- and non-Web proxy based TCP and UDP traffic (and only for theses protocols)
- Support for complex protocols without the requirement to use a TMG application filter
- Simplify routing configuration for large organizations
- Auto Discovery for TMG information based on DNS and DHCP Server settings.
The TMG client has some system requirements:
Supported operating systems
- Windows 7
- Windows Server 2003
- Windows Server 2008
- Windows Vista
- Windows XP
Supported ISA Server Versions and Forefront TMG Versions
- ISA Server 2004 Standard Edition
- ISA Server 2004 Enterprise Edition
- ISA Server 2006 Standard Edition
- ISA Server 2006 Enterprise Edition
- Forefront TMG MBE (Medium Business Edition)
- Forefront TMG 2010 Standard Edition
- Forefront TMG 2010 Enterprise Edition
Operating system support
Table 1: Source: http://technet.microsoft.com/en-us/library/dd897009.aspx
Table 2: Source: http://technet.microsoft.com/en-us/library/dd897009.aspx
TMG client settings on the TMG server
There are only a few settings on the Forefront TMG server which are responsible for configuring the behavior of the Forefront TMG client. First of all it is possible to enable the TMG client support for the internal network definition on the TMG Server as you can see in the following screenshot.
Figure 1: TMG client settings on TMG
After TMG client support is enabled (default after a normal TMG installation), it is also possible to automate the client computers Web Browser configuration. During the normal update intervals of the TMG client or during service startup, the Browser gets the settings configured in the TMG management console.
In the Application settings for the TMG client in the TMG console it is possible to enable or disable some application depended settings.
Figure 2: TMG client settings
Microsoft Forefront TMG provides a new functionality for automatic detection of the TMG Server for the TMG client. Unlike previous Firewall client versions, the Forefront TMG client can now use a marker in Active Directory to find the corresponding TMG Server. TMG client uses LDAP to find the required information in Active Directory.
If the TMG client did not find the AD marker it will not failover to the classical automatic detection concepts through DHCP and DNS, for security reasons. This is done to reduce the risk of an attacker trying to force a failback to the less secure method. If a connection to the Active Directory can be established but an AD Marker could not be found, the TMG client wills failover to DHCP and DNS.
To create the AD Marker configuration in Active Directory, you can download the TMG AD Config Tool from Microsoft Download Center (look for the AdConfigPack.EXE). After the tool has been downloaded and installed on TMG you can execute the following command line in order to register the AD marker key:
Tmgadconfig add –default –type winsock –url http://nameoftmgserver.domain.tld:8080/wspad.dat
It is also possible to remove the AD marker with the tmgadconfig tool if you decide to not use the AD Marker support.
Installation of the TMG client
The latest version of the TMG client can be downloaded from the Microsoft website. I provided you with the download link at the end of this article.
Start the installation process and follow the instructions of the wizard.
Figure 3: Installation of the TMG client
It is possible to specify the location of the TMG Server manually, or automatically during the installation process of the TMG client. After installation, it is possible to reconfigure the settings of the TMG client detection mechanisms with the TMG client configuration tool which you will find in the taskpane of your client.
Figure 4: TMG client computer selection
Advanced Automatic Detection
If you want to modify the behaviour of the automatic detection process, the TMG client has now a new options to define the method used for automatic detection.
Figure 5: Advanced Automatic Detection
HTTPS inspection notification
Microsoft Forefront TMG has a new functionality to inspect HTTPS traffic for outoing client connections. To inform users about this sensitive process, the new TMG client can be used to inform users that the outgoing HTTPS connection is getting inspected, if you want to do this. TMG Administrators also have the option to deactivate the notification process centrally on the TMG Server or manually on every Forefront TMG client. For more infotmation about outgoing HTTPS inspection settings, read the following article from Tom Shinder on www.isaserver.org.
Figure 6: Secure connection inspection
If outgoing HTTPS inspection is enabled and the setting to inform users if HTTPS inspection is used is also enabled, users with an installed Forefront TMG client will get a message like in the following screenshot.
Figure 7: Secure Connection Inspection message
In this article, I gave you an overview about the installation and configuration process of the new Microsoft Forefront TMG client. I also showed you some of the new features of the Forefront TMG client. In my opinion you should use the TMG client wherever it is possible in your environment, because of the additional security features. I explicitly did not cover some advanced configuration settings of the TMG client because these settings remained unchanged compared to the previous Firewall client, so if you want to get more information about these settings, read the following article on www.ISAserver.org.
- Firewall Client Basics: Introduction to the ISA Server Firewall Client and Forefront TMG Client
- How to automatically deploy the Microsoft Firewall client
- Forefront Threat Management Gateway (TMG)-Client
- ISA Server Firewall client configuration
- About firewall client computers
- Forefront TMG Client
- Installing Forefront TMG Client software
- TMG Client introduces automatic detection using Active Directory
- Why the ISA Firewall Client Rocks: Lessons on the ISA Stateful Application Layer Inspection Firewall
- Outbound SSL Inspection with TMG Firewalls (Part 1)