TMG Enterprise Arrays Explained

by [Published on 2 March 2010 / Last Updated on 20 May 2013]

This article will focus on how to configure EMS-managed and standalone arrays, explain differences between the two and discuss deployment scenarios for each one.

Introduction

Microsoft Forefront Threat Management Gateway (TMG) 2010 comes in two editions: Standard and Enterprise. With Enterprise Edition, administrators have the ability to create clustered arrays of TMG firewalls that operate (and can be managed) as a single logical firewall. Arrays provide redundancy, high availability, and scalability. With TMG there are now two different types of arrays – standalone (which is new to TMG) and Enterprise Management Server (EMS) managed. This article will demonstrate how to configure EMS-managed and standalone arrays, explain differences between the two, and discuss deployment scenarios for each. It will also demonstrate how to manage TMG Standard Edition firewalls with TMG Enterprise.

EMS-managed Arrays

If you are familiar with Microsoft ISA Server 2006, EMS is essentially the same as the Configuration Storage Server (CSS) with a few minor differences. With the TMG EMS we now have the ability to join an array after installing the TMG software, and likewise the option to later disjoin an array. This makes enterprise configuration much more flexible by giving the administrator the option to move TMG firewalls from one array to another without having to uninstall and reinstall the TMG software. Unlike ISA Server where the CSS could reside on an array member, the TMG EMS must be installed on a separate system outside of the array.

Note:
This article assumes that you have successfully completed the installation of the TMG EMS service on one system, the TMG firewall service on another, and have joined a domain. For more information on how to install and configure TMG and EMS, please refer to Deb Shinder’s article here on ISAserver.org.

To join a TMG Enterprise Edition firewall to an EMS, open the management console on the TMG firewall system and highlight the root node in the navigation tree on the left side. Next, select Join Array in the Tasks pane on the right side.


Figure 1

This will launch the Forefront TMG Join Array Wizard.


Figure 2

Select the option to Join an array managed by an EMS server.


Figure 3

Enter the fully qualified domain name (FQDN) of the EMS system. If you are logged on with administrative privileges, select the option to Connect using the credentials of the logged on user. Otherwise select the option to Connect using this account: and specify the username and password of a user with administrative privileges.


Figure 4

If you are joining an existing array, select the option to Join an existing EMS-managed array (recommended): and select the array you wish to join from the drop-down list. Be sure you are using an account that has been granted administrative privileges on the array or the enterprise that the array belongs to.


Figure 5

Although it is recommended that you first create the array on the EMS before joining array members, for demonstration purposes we will select the option to Create a new EMS-managed array. If you have already configured access rules on the TMG firewall you are joining to the array, select the option to Use the current configuration at the new EMS-managed array. If you do not select this option, your existing configuration will be replaced with the default configuration of the new array.


Figure 6

Enter the name and optionally a description of the array. Provide the DNS name of the array, preferably in FQDN format. Select the enterprise policy that you wish to apply to this new array.


Figure 7

Review the configuration details and complete the installation.


Figure 8

Standalone Arrays

Standalone arrays are new to TMG. This enterprise deployment option allows the administrator to configure an array of TMG firewalls that are not managed by an external EMS. With standalone arrays, one array member is designated the array manager. The other members of the array then retrieve their configuration from the designated array manager.

To create a standalone array, open the management console on the TMG firewall system and highlight the root node in the navigation tree on the left side. Next, select Join Array in the Tasks pane on the right side.


Figure 9

This will launch the Forefront TMG Join Array Wizard.


Figure 10

Select the option to Join a standalone array mamged by a designated array member (array manager).


Figure 11

Enter the IP address or fully qualified domain name of the TMG firewall to be designated as the array manager.


Figure 12

Review the configuration details and complete the installation.


Figure 13

Disjoining Array Members

Having the ability to remove a TMG firewall from an array is a much appreciated new feature of TMG 2010. With this ability the administrator can selectively move TMG firewall systems between enterprise arrays, if needed.

As with joining the TMG firewall to an EMS, disjoining the array is equally straightforward. Open the management console on the TMG system and highlight the root node in the navigation tree on the left side. Next, select Disjoin Array in the Tasks pane on the right side.


Figure 14

This will launch the Disjoin Server From Array wizard.


Figure 15

There are no options to choose when disjoining an array member from an array. Choose Finish to complete the configuration.

Enterprise Management for TMG Standard Edition

One of the lesser-known features of TMG Enterprise Edition is the ability to manage TMG Standard Edition firewalls. This will greatly simplify management for environments that deploy a mix of TMG Standard and Enterprise edition firewalls.

The process of joining a TMG Standard Edition firewall to an EMS is essentially the same as Enterprise Edition, with the exception that you cannot join an existing array. The only option available is Create a new EMS-managed array.


Figure 17

Once you have completed joining the TMG Standard Edition firewall to the EMS, you can now manage the Standard Edition firewall as you would any other Enterprise Edition array. The only limitation to joining TMG Standard Edition firewalls to an EMS is that the array can contain only a single TMG Standard Edition firewall.

Standalone Arrays vs. EMS-managed Arrays

The choice to deploy standalone arrays or EMS-managed arrays depends on your implementation requirements. If you have multiple network egress points in your environment, configuring TMG using EMS is the best choice. In this scenario, an EMS-managed array will allow you to configure access rules at the enterprise level. Administration overhead is reduced dramatically because a single policy will apply to all arrays in the enterprise. Standalone arrays are a convenient option when high availability is required for networks with a single network egress point, and there is no need to manage other TMG firewalls elsewhere in your environment.

Summary

Microsoft Forefront Threat Management Gateway (TMG) 2010 Enterprise Edition includes the ability to create clustered arrays of firewalls for providing redundancy and high availability. By adding members to an Enterprise array, we also have the ability to scale effectively and efficiently. Managing TMG Standard Edition firewalls is a new feature that will greatly simplify TMG management in large and complex environments.

The Author — Richard Hicks

Richard Hicks avatar

Richard Hicks (MCP, MCSE, MCTS, MCITP:EA, Enterprise Security MVP) is a network and information security expert specializing in Microsoft technologies. As a five-time Microsoft Most Valuable Professional (MVP), he has traveled around the world speaking to network engineers, security administrators, and IT professionals about Microsoft edge security and remote access solutions.

Latest Contributions

Featured Links