Tweaking the configuration of Forefront TMG with customized TMG XML configuration files

by [Published on 7 June 2011 / Last Updated on 20 May 2013]

In this article I will show you how to use the export and import functionality of Forefront TMG to tweak some TMG configuration settings which are normally not accessible or changeable in the Forefront TMG management console.

Let's begin

Before we start how to tweak the Forefront TMG configuration with modified XML export/import files I must tell you that you must use this information at your own risk, no warranty, and I recommend to always create a backup of your TMG configuration before you modify something.


Get your copy of the German language "Microsoft ISA Server 2006 - Das Handbuch"

Forefront TMG as its predecessor ISA Server 2006 has the capability to back up the entire Forefront TMG configuration or parts of the Forefront TMG configuration into a XML file. You can use this XML files to restore the configuration on the same or a different Forefront TMG server. The following screenshot shows an example how to export a Firewall policy rule into an XML file. For more information about the backup and restore process of Forefront TMG, read the following article.


Figure 1: Export selected Firewall policy rule

Quick note:
The backup and restore process backs up and restores certificate keys, which indicate to Forefront TMG which certificates to use, but it does NOT backup the certificates themselves, so you always have to create a backup of your certificates on the TMG server with the import and export functionality of the certificate MMC Snap In from Windows Server 2008/R2 and you should place the certificates on a secure location because the certificate contains the private key which is used to decrypt the encrypted network traffic.

The following screenshot shows an example of an exported Firewall policy rule, in this example the Default Firewall policy rule of Forefront TMG.


Figure 2: Edit an XML file with an XML editor

Activating and deactivating the default rule

The Default Firewall Policy rule of Forefront TMG cannot be deactivated within the Forefront TMG MMC. Under normal circumstances it should not be necessary to disable the Default Firewall Policy rule because this rule works a “catch all” rule for traffic which is not explicitly allowed or denied to the Forefront TMG System policy rules or user defined Firewall Policy rules. If you have the requirement to disable the Default Firewall Policy rule, you must export the rule and after that you must edit the rule with a text editor like Notepad.exe or better a specialized XML editor. For this article I used Notepad++ as the editor.


Figure 3: The default Firewall policy rule cannot be disabled

To deactivate or activate the system policy rule, export the Default Firewall Policy rule with the TMG MMC into a XML file and edit the XML file with a text or XML editor and change the “IsDefaultRule” entry to 0 from 1 and save the XML file, as shown in the following screenshot.


Figure 4

After the XML file has been modified, import the XML file into your TMG configuration and from now on it is possible to activate or deactivate the default rule with the TMG MMC:


Figure 5: The default Firewall policy rule can now be activated or deactivated

Enable or disable the rule with ADSIEDIT

It is also possible to enable or disable the Firewall policy rule with ADSIEDIT. Forefront TMG stores the configuration into a AD-LDS (Active Directory Lightweight Directory Service) instance, and it is possible to edit the TMG configuration with ADSIEDIT. You can read more about the TMG storage in the following article.

Start ADSIEDIT and connect to the TMG storage, navigate to the Firewall policy rule which you want to enable or disable and change the msFPCEnabled attribute to a value you want (true or false) as shown in the following screenshot.


Figure 6: Enable or disable rules with ADSIEDIT

Enable / Disable logging for System policy rules

As a next step I will show you how it is possible to disable logging for a System policy rule. If you try to disable logging for a System policy rule with the TMG MMC you will get a error message as shown in the following screenshot.


Figure 7: It is not possible to disable logging for this system policy rule

To overcome this limitation we must export the entire System policy rule set into a XML file.


Figure 8: Export System Policy Rules

After the System policy rule set has been exported, edit the XML file with a XML editor and locate the System policy rule which you would like to change and insert the following string into the XML file as shown in the next screenshot.


Figure 9: Disable logging for this System Policy Rule

Save the XML file and import the System policy rule set with the TMG MMC. After the XML file has been imported, logging for this System policy rule has been deactivated.


Figure 10: Logging is now disabled for this System Policy Rule.

Attention:
If you try to enable logging again for this System policy rule with the Forefront TMG Management console, you will get an error that this is not possible, so you have to enable logging for this rule again with modifying the rule with an editor and after that, import the Firewall policy rule again into the TMG MMC.

Conclusion

I hope that you now have a better understanding about the Forefront TMG capabilities to export and import parts of the Forefront TMG configuration and how to modify some settings to tweak the Forefront TMG configuration. I also tried to give you some more information about the structure of Forefront TMG XML files to better understand the structure of these files. Before you start to tweak your TMG configuration, you should always make a backup of your configuration.

Related links

The Author — Marc Grote

Marc Grote avatar

Marc Grote is an MCSA/MCSE Messaging & Security, MCSE Private Cloud and Server Virtualization, an MCTS/MCITP and a Microsoft Certified Trainer and MCLC. He is a freelance Consultant and IT Trainer in the north of Germany near Hanover. He specializes in System Center, TMG/UAG Server, Exchange, Security for Windows Server 2012 R2 and Windows Server 2012 R2 designs, migrations and implementations. His efforts have earned him recognition as a Microsoft MVP for ISA Server since 2004 until 2014. Starting in 2014 he has been awarded as an MVP for Hyper-V.

Latest Contributions

Advertisement

Featured Links