نمایش نتایج: از شماره 1 تا 2 از مجموع 2
سپاس ها 1سپاس

موضوع: Installing Threat Management Gateway 2010 RTM Enterprise Edition

  
  1. #1
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272

    Installing Threat Management Gateway 2010 RTM Enterprise Edition

    کد:
    http://www.isaserver.org/tutorials/Installing_Threat_Management_Gateway_2010_RTM_Enterprise_Edition.html

    PART-1


    Introduction I love new things, and I am excited about coming into this new position just in time to introduce a new product: Microsoft's Threat Management Gateway 2010 EE RTM. In this article, we'll start at the beginning, with how to how to install TMG 2010 EE RTM.
    Of course, the real beginning is the planning phase, where you determine what the hardware requirements are going to be, and what role the TMG firewall is going to play on your network. However, if you're new to the TMG firewall, you probably just want to get it installed and see what it looks like. Planning for deployment can take place later if you decide you like what you see, and we'll address that in a later article. Meanwhile, this is the first of a two-part piece that will guide you through the installation process and point out potential "gotchas" that you might encounter along the way.
    Let us get started!

    As always, the first step is to make sure your hardware meets the minimum requirements, which you can find here.
    Many of you will be doing this initial installation for testing and evaluation purposes. So we will install the RTM release of the TMG firewall in a virtual machine, and the VM will have two network interfaces:

    • An external interface, which is bridged to the production network that allows it to connect to the Internet, and
    • An internal interface that only allows it to connect to other virtual machines.

    In this example, the only other virtual machine is a domain controller, and the TMG firewall belongs to the same domain as the domain controller.
    This is going to be a "vanilla" install. The only thing we have done in advance is join the TMG virtual machine to the domain and then installed Windows Updates. I have not installed any Exchange components or any other "out of band" software. Our goal is to do what most admins will do - install the software in an "out of the box" configuration and then try to make it do what we want it to do as we learn more about the product.
    NOTE:
    One thing that you should know before we get started is the DNS configuration on the TMG VM's NICs. Because you should never (well, almost never) include an external DNS server on any of the firewall's NICs, I have configured the external interface with no DNS server setting, and the internal interface with the IP address of the internal DNS server, which is also a domain controller. This is going to cause some issues that I'll take about later when we run into them.
    Here is a simple network diagram of what I am working with right now and for this article:

    Diagram 1
    The first step is to download the evaluation version of the software. At this time, TMG is not available on MSDN, but you can download an evaluation here.
    After you get the file downloaded, double click on it and it will unpack the files. After the files are unpacked, you will see the Welcome to Microsoft Forefront TMG page. This looks a bit different compared to what we saw with the ISA firewall and it includes some welcome new options. Notice the Prepare and Install section - now you can run Windows Updates from the installation page. We already did that, so we don’t need to do it now. Another new option, Run Preparation Tool, is one that we will use. Click that one now.

    Figure 1
    It’s clear that the TMG developers had large monitors when they created this interface. The dialog boxes are huge. I suppose that makes it nice for both the devs and the users – but makes it a bit of a pain for writers who have limited horizontal space for screenshots J
    On the Welcome to the Preparation Tool for Microsoft Forefront Threat Management Gateway (TMG) page, click Next.

    Figure 2
    On the License Agreement page, put a checkmark in the I accept the terms of the License Agreements checkbox and click Next. Here you are accepting the license agreements for the Microsoft Chart Controls for Microsoft .NET Framework 3.5 and 3.5 SP1 and Microsoft Windows Installer 4.5.

    Figure 3
    On the Installation Type page, you have three options:

    • Forefront TMG services and Management
    • Forefront TMG Management only
    • Enterprise Management Server (EMS) for centralized array management

    The new TMG makes it easier than ever to work with TMG EE, in contrast to the complexity of EE management with the ISA firewall. That is why we are installing EE in this article series – to show that you can get EE installed easily. Later we’ll create a standalone array and then we will take down the standalone array and create an enterprise array. It’s easy and fun! But first, let’s just handle the basics and select the Forefront TMG services and Management option. Click Next.

    Figure 4
    On the Preparing System page, you will see installation progress for the prerequisite software.

    Figure 5
    The Preparation Complete page shows that the prerequisite software was installed successfully.

    Figure 6
    Now the Welcome to the Installation Wizard for Forefront TMG Enterprise page appears. Click Next to start installing TMG EE.

    Figure 7
    On the License Agreement page, select the I accept the terms in the license agreement option and click Next.

    Figure 8
    Enter your customer information (user name, organization name and product serial number) on the Customer Information page and click Next.

    Figure 9
    On the Installation Path page, you can use the default path or choose your own path in specifying the location where you want to install the TMG firewall’s files. In this example, we’ll use the default path and click Next.

    Figure 10
    Ah, now here is a blast from the past - the Define Internal Network page. For the TMG firewall, as for the ISA firewall, the default Internal Network is where your core infrastructure services are contained; these include Active Directory, DNS, DHCP and WINS. You can change this definition later if you like, but we need to be able to access these resources during installation, so we have to define the default Internal Network now.
    Click the Add button on the Define Internal Network page. This brings up the Addresses dialog box. There are several ways to add the addresses for the default Internal Network, but my preferred method is to use the Add Adapter approach. Click Add Adapter.

    Figure 11
    On the Select Network Adapters dialog box, select the LAN NIC (or whatever name you have defined for that NIC) and then put a checkmark in the checkbox for that NIC. Make sure the information in the Network adapter details section accurately reflects the details of the NIC you selected. Then click OK.

    Figure 12
    The addresses associated with the internal NIC now appear in the Addresses text box. These addresses are based on routing table entries on the firewall - if you have not configured routing table entries on the firewall yet, these addressees might not be entirely correct, but it’s something that we can fix later, which you’ll see as we move through the installation process.

    Figure 13
    Click Next on the Define Internal Network page.

    Figure 14
    As with the installation of the ISA firewall, a number of services will need to be restarted or disabled when you’re installing the TMG firewall. In this case, these include:

    • SNMP service
    • IIS Admin service
    • WWW Publishing Service
    • Microsoft Operations Manager Service

    NOTE:
    TMG is not saying that these are currently installed – it’s just telling you that if they are installed, they’ll be disabled or restarted.
    Click Next.

    Figure 15
    Click Install on the Ready to Install the Program page.

    Figure 16
    A progress bar shows your progress in the installation.

    Figure 17
    Another dialog box will appear and give you more information about how long things are going to take. Notice that these are estimated figures; despite the numbers you see here, it took almost 30 minutes for installation to complete for me. This might be related to DNS issues, which I'll discuss later.

    Figure 18
    Now the Installation Wizard has competed and you might think you’re finished. In the past, with the old ISA firewall, this would have been it. The next step would have been to go into the ISA firewall console and get to configuring Networks, Access Rules, and other components to get the thing working. But with TMG, you’re not quite done yet.
    If you select the Launch Forefront TMG Management when the wizard closes, there will be a set of three more wizards that make it possible to get up and running at the end of the installation process.

    Figure 19
    Because these wizards are new, and we’re at the end of our word count for this article, we’ll save our discussion of the new installation wizards for the next article in this two part series. Hopefully this will whet your appetite for what comes next.
    Summary


    In this article, we started off by explaining that we would install the new TMG 2010 EE firewall in a plain vanilla configuration. The only settings on the TMG firewall VM are the DNS settings, and the firewall VM has been joined to the domain before beginning the installation of the firewall software. Next we launched the installation processes, configured the default Internal Network, and let the installation complete. In the next installment of this series, we’ll complete the installation of the firewall by going through the three new wizards that are nested in a new Getting Started Wizard. See you then! - Deb.





    موضوعات مشابه:

  2. #2
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272
    کد:
    http://www.isaserver.org/tutorials/Installing-Threat-Management-Gateway-2010-RTM-Enterprise-Edition-Part2.html
    PART-2

    Introduction

    In the first part of this two part series, we began the installation of TMG Enterprise Edition in a simple “vanilla” setup. Most of what you have seen so far undoubtedly looks very similar to the installation experience you have had with ISA Server over the last decade. In this, part two of the series, we will see some new components of the installation process; specifically, we will be taking a look at the new Getting Started Wizard.
    Let us pick up where we left off. At this point you will see the Getting Started Wizard page, and the first part of this process is to configure the network settings. Click the Configure network settings link.
    Note:
    Notice that at the bottom of the page that if you need to import your ISA 2006 configuration into TMG, you need to do that before you run the Getting Started Wizard. We’ll talk about migrating your ISA firewall configuration settings to TMG in a future article, so we won’t cover that right now.

    Figure 1
    Also note that you can get help with the Getting Started Wizard by clicking the Help about the Getting Started Wizard link toward the bottom of the page.
    Click Next on the Welcome to the Network Setup Wizard page.

    Figure 2
    On the Network Template Selection page, you have up to four options to choose from:

    • Edge Firewall - This is the default option and the one used in the majority of cases. This will create a default Internal Network and a default External Network.
    • 3-Leg perimeter - This option allows you to configure a trihomed DMZ segment. The reason it doesn’t appear as an option in the figure below is because you need at least three NICs for this option to be available. When you select this option, a TMG Firewall Network will be created by the DMZ segment, and Network Rules will be automatically created for you.
    • Back firewall - This option is used when you have another firewall, such as another TMG firewall, ISA firewall or 3rd party firewall, in front of the TMG firewall. A perimeter TMG Firewall Network will be automatically created as well as a default Internal Network.
    • Single network adapter - This option is used when you have a single NIC installed on the TMG firewall. This is used only when the firewall is going to be used as a Web proxy server. This configuration does not support any protocols other than HTTP, HTTPS and FTP. It does support remote access VPN.

    In this example we will select the Edge firewall option and click Next.

    Figure 3
    On the Local Area Network (LAN) Settings page, you configure the IP addressing configuration of the internal interface. If you already configured the interface, you will see the settings here. You can also change the settings on this page. In the Specify additional network topology routes section, you can click the Add button and add routing table entries (not sure why they called routing table entries “network topology routes”, but I was not at that meeting).
    After configuring your internal interface settings, click Next.

    Figure 4
    On the Internet Settings page you configure the IP address settings on the external interface. Notice that you have the option to set static entries or use DHCP. Select the appropriate NIC and then choose the settings that work for you. Click Next.

    Figure 5
    That is all for the Network Setup Wizard. Review your settings on the Completing the Network Setup Wizard page and click Finish.

    Figure 6
    The next step is the Configure system settings wizard. Click the Configure system settings link to get started.

    Figure 7
    Click Next on the Welcome to the System Configuration Wizard page.

    Figure 8
    Several configurable options are available on the Host Identification page:

    • Computer name - Here you can click the Change button to change the name of the computer. This will require a restart of the machine.
    • Member of - Here you can choose to make the TMG firewall a member of a Windows domain or a Workgroup. In most cases, the TMG firewall should be made a member of a domain so that you have the highest level of security possible for the firewall. You will need to restart the machine after changing workgroup or domain membership.
    • Primary DNS Suffix - Here you can change the primary DNS suffix used by the TMG firewall. This is used by the firewall to append a suffix to single label name queries that the firewall may need to perform. If the TMG firewall is a member of a domain, it will automatically pick up the Active Directory domain name as the primary DNS suffix.

    At the bottom of the page you’ll see the full computer name of the TMG firewall after you make changes here. In general, I handle these configuration tasks before beginning installation of the TMG firewall. However, if you forget to do this in advance, it’s nice to know that you can take care of these tasks by using the System Configuration Wizard.
    Click Next.

    Figure 9
    Wow! That was a pretty short wizard. Read the information on the Completing the System Configuration Wizard page to confirm that it is correct and then click Finish. Note that if you change the domain, workgroup or compute name the machine will restart before you can move onto the next steps.

    Figure 10
    The third step of the Getting Started Wizard is Define deployment options. Click the Define deployment options link.

    Figure 11
    Click Next on the Welcome to the Deployment Wizard link.

    Figure 12
    The first thing the Deployment Wizard wants you to do is choose your Microsoft Update Setup options. Here you have three choices:

    • Use the Microsoft Update service to check for updates (recommended) - This option has the TMG firewall use Microsoft update on the Internet to update firewall, OS, anti-malware and NIS signatures. Since it’s likely that Microsoft has higher uptime than your internal WSUS or SCCM configuration, this is probably the best option for the majority of cases.
    • I do not want to use the Microsoft Update service - Use this option if your company has policy in place where you are not supposed to use the Microsoft Update to automatically update the firewall. You might use this option if you’re wary about installing updates and want to validate them before installing them on your firewall or firewall arrays.

    Notice that if the computer is not connected to the Internet, this step could take several minutes, as the firewall will try multiple attempts to connect to the Internet Microsoft Update Services. This is a little misleading because your firewall might be able to connect to the Internet, but if you didn’t configure the TMG firewall to use an external DNS server (which is not recommend – you should avoid configuring an external DNS server on any of the firewall’s interfaces), then the TMG firewall has no way to resolve the names of the Internet Microsoft Update servers.
    You might have configured the internal interface to use an internal DNS server, but the TMG firewall won’t be able to use that DNS server yet because you do not have an Access Rule in place that allows outbound access to internal DNS servers to external DNS servers. This puts you in a bit of a catch 22 – you need to resolve Internet host names, but you can not get to the configuration interface yet to make those DNS servers available to you.
    Maybe in a future service pack update they’ll create a temporary DNS rule during setup that allows internal DNS servers to resolve public host names. Until then, we’ll just have to wait a bit during this phase of the installation.

    Figure 13
    On the Forefront TMG Protection Features Settings page you have several options:

    • Network Inspection System (NIS) - Here you can choose to activate the complementary license or choose not to activate it. You do not need to license the NIS signatures – all copies of the TMG firewall allow you to take advantage of NIS.
    • Web Protection - Here you have the option to Activate the evaluation license and enable Web protection. You can also enter your license details if you have licensed this feature. At this time, the details of how to license the Web protection updates is unclear.
    • Enable Malware Inspection - If you enable this option, the TMG firewall will be able to inspect Web (HTTP/HTTPS) connections for malware. Note that only Web connections are inspected – this feature does not inspect other protocols such as NNTP, SSH, etc.
    • Enable URL Filtering - This option turns on the URL Filtering capabilities of the TMG firewall and allows you to later configure sites or site categories that you might want to block access to, using Access Rules.

    Notice how the URL Filtering service works. The TMG firewall doesn’t download an entire database. Instead, the TMG firewall sends the URL string to the Microsoft Reputation Service over an SSL connection to get a category result and uses that result to evaluate the connection request.

    Figure 14
    On the NIS Signature Update Settings page, you have several options again:

    • Select automatic definition update action – You can choose to check and install the options, or check and download, or not even check. In most cases, you’ll want to automatically check for NIS signatures and install them automatically.
    • Automatic polling frequency - Microsoft works around the clock on putting together signatures to protect your network. In order to take advantage of this, you want to poll Microsoft servers frequently so that you have the most up to date protection. The default interval is 15 minutes, but you can change that value if you like to make the check more or less frequent.
    • Trigger an alert if no updates are installed after this number of days - This setting allows you to get an alert if updates don’t happen after “x” number of days.
    • New Signature Set Configuration - This allows you to set a default response policy for new signatures. The default setting is typically the best one, which is Microsoft default policy (recommended). I’ll do an article on NIS in the future that will give you more insight about NIS signatures and response policies.

    Click Next.

    Figure 15
    On the Customer Feedback page, you have the option to join the Microsoft Customer Experience Improvement Program. I highly recommend that you participate in this program. It allows Microsoft to find out how you use the TMG firewall and helps them focus on making the product better based on how people use the firewall. In this example we will select the Yes, I am willing to participate anonymously in the Customer Experience Improvement Program option and click Next.

    Figure 16
    On the Microsoft Telemetry Reporting Service page you can help Microsoft and other TMG firewall owners by providing information about malware and other attacks on your network to Microsoft. Unless you have a strong reason for not participating, I highly recommend that you select the Advanced option. This makes the anti-malware component more effective and ends up making everyone’s networks more secure. However, when you select the advanced option, in addition to basic information being sent to Microsoft, information about potential threats are sent in greater details, including traffic samples and full URL strings. The additional information provides Microsoft with more help in analyzing and mitigating threats.
    In this example we will select the Advanced option and click Next.

    Figure 17
    That was a long wizard! On the Completing the Deployment Wizard page read the information about the choice you made to confirm that they are correct, then click Finish.

    Figure 18
    At this point things seem to get stuck. As mentioned earlier, I suspect the issue is that the TMG firewall isn’t able to resolve the names it needs to get to the Internet locations required to download the updates to the anti-malware and NIS services. This is a problem related to the fact that you don’t want to put an external DNS server address on any of the TMG firewall’s NICs – but during installation, this might be required. However, it can also cause problems with Active Directory communications. The problem can be solved later by creating an Access Rule that allows internal DNS servers access to the Internet, the type of access depending on how you configure your internal DNS servers to resolve Internet hosts names – either via recursion or forwarders.
    At this point we are done with the Getting Started Wizard. It will say on the bottom of the page that You have successfully completed all the steps of the Getting Started Wizard. You are now ready to define Web Access policy for your organization. For ISA firewall admins, the Web Access Policy feature can be a bit confusing – because this policy creates Access Rules and groups them into a Web Access Policy.

    Figure 19
    So how did we do? I would expect that after installing the firewall that the Alerts tab will be nice and clean and only tell me that the services have started and life is great – there will be plenty of time for me to mess up the configuration later. What’s the result?

    Figure 20
    Oops. What’s up with that? No more endpoint mappers, and I did not try to map an endpoint yet and even if I did, I wouldn’t know what endpoints to even try to map. I see the problem sometimes related to name resolution issues, so maybe the DNS issue I talked about earlier could be related to this. The malware inspection problem is most likely due to DNS issues, so I am not too worried about that one. Let us restart the firewall and see if anything interesting happens.
    That’s a little better. The WFP Filter Conflict Detected alert is a “normal” alert – i.e., it is a spurious alert that you can ignore. Not sure why the Malware Inspection Currently Unavailable alert is still there, but it is probably due to the fact that the machine has not been running long enough to download updates.

    Figure 21
    Summary


    In this two part series, we went over the installation experience for the TMG firewall. In the first part of the series, we saw what appeared to be a installation experience that was very close to the ISA firewall installation experience. However, in part 2 of this series, we were introduced to the Getting Started Wizard, which is all new with the TMG firewall. We went through the three sub-wizards that are part of the Getting Started Wizard and successfully completed installation of the TMG firewall.




    saeed_sqs سپاسگزاری کرده است.

کلمات کلیدی در جستجوها:

tmg 2010 serial number

4

tmg there are no more endpoints available from the endpoint mapper

this forefront threat management gateway setup scenario cannot be installed on a domain controller

There are no more endpoints available from the endpoint mapper TMG

forefront tmg enterprise serial number

there are no more endpoints available from the endpoint mapper tmg 2010

product serial number tmgforefront tmg 2010 serial numberserial Forefront TMG 2010 Enterprise Editionthis forefront threat management gateway setup scenario cannot be installed domain controllerthreat managment gateway 3 leg perimeter active directoryThreat Management Gateway single nic76serial forefront enterprise editionwhatsup activation install tmg eeforefront tmg services and management grayed outforefront threat management gateway 2010 single nictmg ems create array there are no more endpointswhy 3leg perimeter option is greyed tmg 2010array join there are no more endpointsnis in forefront tmg serialconfigure tmg standalone array: error there are no more endpoint available from the endpoint mapper

برچسب برای این موضوع

مجوز های ارسال و ویرایش

  • شما نمی توانید موضوع جدید ارسال کنید
  • شما نمی توانید به پست ها پاسخ دهید
  • شما نمی توانید فایل پیوست ضمیمه کنید
  • شما نمی توانید پست های خود را ویرایش کنید
  •