Installing EMS for Threat Management Gateway

This article describes you the installation or addition of EMS [Enterprise Management Server] for Threat Management Gateways.

Step1:

Insert TMG DVD and if the Autorun doesnt start, go to the DVD Drive and click on Autorun.hta and you will see below screen followed by the Menu screen.

 



Step2:

Click on Run Preparation tool as highlighted in Blue in the above snap and the Forefront TMG Preparation Tool Wizard starts as below. Press Next after reading text part in the below window to understand the process better.



Once you press Next, you will see the License agreement screen as usual, you need to read and accept.Press Next.



Step3:

In the next window, select EMS and Press Next, the wizard will continue preparing the computer for EMS Installation

 



and once complete you will the below window



Now, if you select the option of Launch Forefront TMG installation Wizard, a new wizard will automatically open to install the components. If not, go back to autorun.hta and select run install wizard. For easy installation i would choose this option. So the next window which appears on screen is the TMG installation wizard as shown below.



Step4:

Along with the window above, there also runs another wizard as shown below, which is TMG Installation wizard in our case it should be EMS.




As usual again, there will be license agreement which you need to read and accept.


and Press Next.

Step5:

In the Next window, enter the customer information like which will be username, organization and a serial number. Press Next once you complete the entry of the information.


Step6:

Select installati0n path, i would leave as is and press Next


Step7:

This is our New EMS installation, so i will select the new EMS configuration



Press Next in the next window as well since, this will be our new and only EMS server for the moment.



Also, you need to give the name and description of the new enterprise as shown below


Pres Next

Step8:

Here, i would choose domain deployment environment as i want to be deployed it across the domain of mine.



Press Next and again at the next window ready to install, you need to press Next



The installation progresses



Once complete, you will see another window as below



Which will show the completion of installation.Now,what you can do to confirm the installation is, go to the start -Programs and Forefront TMG, open Forefront TMG Management



Now, you can see the TMG EMS Console as below,



So that is it. I hope this step by step information is helpful:-)

Creating an Enterprise policy in an TMG

Howdy,

This article outlines creating an Enterprise policy in an EMS Server For TMG.

Requirements:

1. Windows 2008 r2 Server
2. Server should be joined to the domain [ can be done in work group too]
3.EMS installed. You can find the article on how to install EMS here

Lets look at the addition of a new policy step by step

Step1:

Go to the Forefront TMG Console [EMS] where EMS is installed. Maximize the Enterprise Menu and on the Enterprise Policies Right click to see the “New” Submenu. Click on Enterprise policy as shown below.




Step2:

A new Wizard window will open, Type in the name of the policy and click Next.



Step3:

In the next window,it shows the Wizard completion summary as below.



Step4:

Go back to the console and click the option Apply on the Top in the middle pane. The policy will be created only after you click on apply



As we have already been through what happens when we apply new config or settings, a window will pop up for Configuration change description where, you can enter the details of the change



And once you click on Apply, the settings will be applied



Now go back to the console and observe the changes. The new policy you have created seconds before is now available on screen in the console.



So that is about creating a new Enterprise policy in the EMS Console. You can apply these policies to the arrays you create. i will cover this topic in later articles.

Joining TMG Server to Standalone Array in Domain Environment

This article will help us understand how to join an Threat Management Gateway Server to Stand Alone Array in the Domain Environment
I will consider things below:
1. You have 2 Threat Management Gateway Servers installed in Domain Environment
2. You have full rights on both the Servers.
3. Your Threat Management Servers do not have any network errors connecting to the Domain Controllers
Assuming above things are already accomplished, I will assume two other things here:
1. The First Threat Management Gateway Server is up and running and i will call it as SVMTMG01.Shiva.org
2. The Second Threat Management Gateway Server is up and running and i will call it as SVMTMG02.Shiva.org
Now lets go through the steps:
Step1: I will keep my SVMTMG01.Shiva.org as Array Manager and hence, I will boot the system and leave it that way.
Step2: I will keep my SVTMG02.Shiva.org as the Array Managed Node and hence i will boot the system and login to it
Step3: Open the Forefront Threat Management Gateway Console on SVMTMG02.Shiva.org and Click on Join Array as shown below

Step4: In the Join Array Wizard Click on Next and Select Join a Stand Alone Array Managed by a designated Array Member



Step 5: Enter the Details required, and please make sure that, your DNS is fully working for your Active Directory Domain as we will give the FQDN of the Array Member whom we are designating as the Array Manager. I am already an administrator for the Domain and i have all the access on both the TMG Computers so, i will connect to the Array member [ soon to be Array Manager] using my logged in credentials. You May want to use different account.



Step 6: If DNS is working your way and if the account you are using has required rights, then you should not see any errors, when you press next you should see below screen where you click Next again which will bring in another window showing the “Joining the Array”  Progress Notification.


Once the Joining completes, you will see success notification as below

Observe the change when you open the console on SVMTMG02 [ An Array Member], it shows you are connected to SVMTMG01


Go to the System Tab [Left Pane] of your TMG Console if you want to get the info on the Servers in the Array and their respective designation. In our case it looks like the below snapshot

If you notice, i have logged into SVMTMG02 and that is the reason, you see a Local Server after the server name SVMTMG02 and you also notice that is an Array Managed node and SVMTMG01 is Array Manager.
So that is all about Joining an Threat Management Gateway Computer to Stand Alone Array in Domain Environment.

Joining TMG Server to Standalone Array in Workgroup Environment

Howdy,
We already did a small setup where, we showed how to Join Threat Management Gateway Server to Standalone Array in Domain Environment. And, here is the link to it

http://tech.shashankaharitsa.in/2013/12/joining-tmg-server-to-standalone-array_30.html

Now, we will Join the Threat Management Gateway Server to Standalone Array in Workgroup Environment.Before proceeding further, i will assume below things are already taken care:

1. Two Threat Management Gateway Servers Installed.
2. There is  Certificate Authority, where you can obtain web server certificate with private Key
3.You have DNS Infrastructure where both Threat Management Servers can resolve to each other.
4. You have downloaded a cert tool to bind the certificate from here  http://www.microsoft.com/download/en/details.aspx?id=11183 and you have installed certool under
“C:\Program Files\Microsoft Forefront Threat Manaqement Gateway”

Here are my Servers and their names:

1. Threat Management Gateway Server 1 has the name MVMWGTMG01.wineng.in [ Note, wineng.in is a Suffix that we have added] and this will be Array Manager

2. Threat Management Gateway Server 2 has the name MVMWGTMG02.wineng.in [ Note, wineng.in is a Suffix that we have added]

3. Certificate Authority server is MVMCERT01.wineng.in

Requesting certificate from Certificate Authority

Login to the Threat Management Gateway Server 1 that is MVMWGTMG01.wineng.in and open Internet Explorer. Type in the address of Web Enrollment Certificate Authority servers address and request the certificate with FQDN of MVMEGTMG01.wineng.in for Web server template for which Private Key export is enabled. This is because, if you have windows 2008 Server Certificate Authority you cannot export Private key with Web server template by default. This is off the topic for now and i will try to cover this in my next articles.


Click on Request a Certificate in the above page and you will see the next page where you will click on Advanced Certificate request.

In the Next page, Click on Create and Submit a request to this CA

Select the valid Web server template, in my case i have custom template for Web server with Private Key export option. and type in a valid name and friendly names. In my case, mvmwgtmg01.wineng.in that is name i required certificate for.

Make sure, you have mark Key as Exportable options enabled as below on the same page. Note, as said earlier, the default web server template from Windows 2008 CA will have this option greyed out.


Click on Submit button on the bottom of the page and you will see the response from CA with Certificate as shown below,

Click on Install this certificate and it will be now saved. To retrieve the certificate, go to the Internet Explorer options and go to the Content and click on Certificates to view the saved certificate.

 




Export the certificate along with Private Key and place it under”C:\Program Files\Microsoft Forefront Threat Management Gateway” with name certificate.pfx

Binding certificate to ISASTGCTRL Service

Now, lets bind the certificate which we requested to ISASTGCTRL Service on the soon to be array manager server, in our case it is MVMWGTMG01.WINENG.IN
Login to the soon to be array manager server with correct rights.
go to Command Prompt and execute the command as below

C:\Program Files\Microsoft Forefront Threat Management Gateway>ISACertTooLexe /st certificate.pfx /pswd 123 /keepcerts and you should see the output as below if things are correct.


To confirm the correct binding, go to the MMC Certificate snap in for Service ISASTGCTRL and look for personal store and it should have the certificate that we tried to bind above as below

Joining Work group TMG Server to Array

Now that you have things set in place for Array Manager, lets see what should we do on the Member server
In my case the Soon to be array member is mvmwgtmg02.wineng.in , first thing we will need to do is to make the Certificate authority trust from which we requested Web Auth certificate for soon to be Array manager server. So, you will need to add the CA “Wineng Certificate Authority” to trust certificate authority.
Once you put the certificate authority to trusted certification authority, open the Threat Management Gateway console on Soon to be array member server [ malwgtmg02.wineng.in]
Click on Join to array as below

In the Array Join Wizard, select “Join a standalone array managed by a designated array member (array manager)” and click next

In the next window, type in the name of array manager [ with FQDN] and give the administrative account info if need be and click next

Next, you will be asked to add the Root certification authority, in our case, we have already added it so, we will select option 2 and click Next.

Click on Finish to complete array joining wizard.



As soon as you click on Finish, you will see the Array join progress notification as below and eventually it completes


 




So that completes joining the server to array. Now, lets confirm it by opening the Forefront Threat Management Gateway console on our newly added Array Member
First thing you will notice is that it will connect to MVMWGTMG01.WINENG.IN which is our Array Manager and if you click on the System on the Left Pane in the console, you will see the information as below where, it clearly tells you which is Array Manager and Array Member



So, that is about Adding an Array Member to Standalone Array in the Work group scenario.