TMG Proxy Server

8. June 2012

I will use the Forefront TMG server as the Internet Proxy, router and Firewall for my SA360 environment.
To simulate a proper environment it is important that you setup the LAN/WAN as close to the real world as possible.
Below is described the actions that you must take to get the TMG server up and running in this environment. Thisdescription is NOT a production installation, I will not in detail describe every setting you need to set up a proper TMG server. This is only to setup a TMG server in this test environment

Install your OS:
Like anything else you need to setup your OS to install the TMG, i have installed a Windows 2008 R2, it is fully patched. The server is placed in its own workgroup and is therefore not part of the HQ domain


Install TMG:
Before you start begin your installation you should setup and name your NIC card appropriately to ensure and easy installation.


In my scenari I have 3 NIC cards

  • CORP.LAN acts as the ISP with access to the internet this
  • DMZ.LAN is my perimeter network
  • HQ.LAN is my internal headquarter network

TCP/IP settings is as follows

  • DMZ (
  • HQ (

After you have downloaded the appropriate version of Forefront TMG you, and your network is properly named and configured you can initiate the setup.


When you run the installation wizard, you will at some point be asked to define Internal Networks. At this point you will click “Add Adapter” and the list of networks you have configured should be listed like the image below


After you have chosen the NIC card you should be presented for the below shown splash screen.


You must now choose what NIC interfaces should be part of your TMG setup, you can manually at a later point in time add or change these settings if you need to. In my case I want to use all of the NIC interfaces because the topology template that I will use is 3 the leg perimeter network. Again this is just a template and you can change this at a later time


After you have chosen this template you will be guided to determine what NIC interface belongs to what leg, in my case this is as follows.

  • External Network (CORP.LAN)
  • Internal Network (HQ.LAN)
  • Perimeter Network (DMZ.LAN)

When you chose the External Network to use DHCP you will be presented with a security warning that in this test scenario we will just ignore. In a real life TMG setup security warnings should not be ignored as we do in this setup.

The system configuration is basically on screen that is shown below. In my case there is nothing to change because my TMG server is intalled as a standalone server in its own workgroup.


The next series of questions you will be asked is the deployment of the TMG server, you can follow the guide an just accept the default values. You have now succesfully installed the TMG server on your server and if you marked the “Run Access Wizard” the TMG server will start the wizard for setting up a basic WEB access rule. If you did not click the forefront managment console should open.
I will suggest just running the WEB access wizard it will setup the acces to the internet from internal servers. There is not tricky stuff in this wizard just use the default settings.


You migth encounter a script error the prevents this console to open due to an incompatability with IE 9. Follow the below link to a thread that discuss this problem

It also describes a manually workaround for this problem
Open “C:Program FilesMicrosoft Forefront Threat Management”

  • Search for the 3 lines which contain “paddingTop”, and remark-out each of them by adding “//” in the begining.

Example: Change the line: m_aPages [niPage] = ((m_nBoostUp < 0) ? -m_nBoostUp : 0) ;

// m_aPages [niPage] = ((m_nBoostUp < 0) ? -m_nBoostUp : 0) ;
  • Save the file, and re-open TMG management console.

Hopefullly you can now opent he managment console and you can finf the menu item firewal policy. You migth have to add the DNS protocol to the firewall policy for you internal servers to be abel to look up DNS address on the internet
Just edit the policy and add the DNS protocol


In the WEB Access Policy menu, you should see somthing similar with the below shown


Notice the WEB proxy address, that you have to use when you set up the connection in the Internet Explorer Proxy settings.

You are now ready to try to connect an internal server to the internet using your proxy server. First you should configure the NIC on the server according to your seetings


Next you should setup your IE to use a proxy server to access the Internet.


In my case i have created a DNS address called “proxy” that points to my IP: to make it more simple to enter this value. later I will show how to create a GPO that set this automatically.

Hopefully you can now enter the Internet through your proxy server and you are ready to set up the rest of the SA360 environment.

Leave a Reply