43 Integrating Microsoft Forefront Threat Management Gateway 2010 with Access Manager
This chapter describes how to configure communication between Access Manager and Microsoft Forefront Threat Management Gateway (TMG) 2010. The following sections are provided:
43.1 What is New in This Release?
Support for integration between Access Manager and Microsoft Forefront Threat Management Gateway (TMG) 2010.
Details in this chapter presume that you are familiar with Access Manager policies and operation.
43.2 Introduction to Integration with TMG Server 2010
This section provides an overview of the tasks that, once performed, enable this integration. Topics included are:
43.2.1 About This Integration
Microsoft Forefront Threat Management Gateway (TMG) 2010 is the next generation of the Internet Security and Acceleration (ISA) Server 2006.
This chapter provides steps to configure an open (non-secured) connection between the Forefront TMG Web server and Access Manager. This communication is based on using a 10g Webgate for ISAPI. For details about using a secured connection, see your Forefront TMG Server documentation.
You can have IIS Web server and Forefront TMG installed on same or on different computer. In examples in ths chapter, both reside on same host.
The following overview outlines the tasks that you must perform and the topics where you will find the steps to set up the ISAPI Webgate with the TMG Server within this chapter.
Task overview: Installing and configuring the ISAPI Webgate on TMG Server
-
Getting the latest certification matrix as described in "About Confirming Certification Requirements".
43.2.2 About Confirming Certification Requirements
Any references to specific versions and platforms in this chapter are for demonstration purposes. For the latest certification information, see Oracle Technology Network at:
http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-100350.html
43.3 Creating a Forefront TMG Policy and Rules
After you install Forefront TMG 2010, other computers cannot ping the computer hosting Forefront because the default firewall policy denies all the traffic from and to the host.
This section provides the information you need for:
43.3.1 Creating a Custom Policy for Forefront TMG
You can create a custom Forefront firewall policy.
Prerequisites:
Install Forefront TMG 2010 using documentation from your vendor.
To create a custom policy to over ride the default firewall policy
43.3.2 Creating a Forefront TMG Firewall Policy Rule
To protect the resource, you must create a firewall policy rule using the Forefront TMG console.
When you create a listener for Authentication Preferences, be sure to check Allow client authentication over HTTP and Require All users to authenticate. Otherwise, you will not be able to access the published Web site using the TMG proxy.
Authentication Delegation is used by the TMG server to authenticate to the published Web server.
Note:
You can have IIS and Forefront TMG installed on the same (or a different) computer. Here, both reside on same host.
To create a custom policy to override the default firewall policy
43.4 Installing and Configuring 11g Webgate for Forefront TMG Server
You can set up the 11g Webgate and register plug-ins as Web filters.
Task overview: Configuring Webgate and Filters for TMG Server includes
43.4.1 Installing 11g Webgate with TMG Server
When you install Webgate with the Forefront TMG Server, the destination for the ISAPI Webgate installation (also known as the Webgate_install_dir) should be same as that of the Microsoft Forefront TMG.
For example, if Forefront TMG is installed in C:\Program Files\Microsoft Forefront Threat Management Gateway
, the ISAPI Webgate should also be installed there.
Task overview: Installing the ISAPI Webgate for Forefront TMG Server
43.4.2 Changing webgate Directory Permissions
After finishing ISAPI Webgate installation and configuration for the Forefront TMG Server, you must change permissions to the webgate
subdirectory.
This subdirectory was created in the Forefront TMG Server (also Webgate) installation directory. You must add the user NETWORK SERVICE and grant full control to SYSTEM ADMINISTRATOR. This enables the Forefront TMG Server to establish a connection between the Webgate and Access Server. Certain configuration files should be readable by system administrators, which is why you grant SYSTEM ADMINISTRATOR full control.
Note:
Webgate in Simple Mode: add user NETWORK SERVICE and give Full Control for the password.xml
file in TMG_install_dir<TMG_WG_INSTANCE_DIR>/webgate/config/password.xml
.
To change permissions for webgate install and instance subdirectory:
cacls <WG Instance Dir>\webgate /E/T/G NETWORK:f
cacls <WG Instance Dir>\webgate /E/T/G “NETWORK SERVICE”:f
cacls <WG Install Dir>\webgate /E/T/G NETWORK:f
cacls <WG Install Dir>\webgate /E/T/G “NETWORK SERVICE”:f
- Proceed to the "Configuring the TMG 2010 Server for the ISAPI 11g Webgate" section.
43.5 Configuring the TMG 2010 Server for the ISAPI 11g Webgate
You can configure the TMG Server to operate with the 11g ISAPI Webgate for Access Manager.
Task overview: Configuring the TMG 2010 Server for the ISAPI 11g Webgate
43.5.1 Registering Access Manager Plug-ins as TMG Server Web Filters
After resetting ISAPI Webgate permissions, you need to register Access Manager webgate.dll
and postgate.dll
plug-ins as Web Filters within Forefront TMG Server.
Web filters screen all HTTP traffic that passes through the TMG Server host. Only compliant requests are allowed to pass through. The following procedure describes how to register Access Manager plug-ins in the TMG Server.
Note:
To undo the filter registration, you can use the following procedure with the /u
option in the regsvr32
command. For example: <TMG_WG_INSTALL_DIR>\webgate\iis\lib\webgate.dll
To register Access Manager plug-ins as TMG Server Web filters
43.5.2 Verifying Form-based Authentication
You need to ensure that the published Web site is accessible using the TMG proxy and verify that form-based authentication is working.
TMG supports both Basic over LDAP and Form-based or Basic authentication. You can choose the desired authentication scheme. TMG need access to login.html
, which you configure as described here.
To verify that form-based authentication is working
43.6 Starting, Stopping, and Restarting the TMG Server
When instructed to restart your TMG Server during Access Manager Web component installation or setup, be sure to follow any instructions that appear on the screen.
Also, the net
commands help to ensure that the Metabase does not become corrupted following an installation. Consider the following commands, which provide good ways to stop and start the TMG Server:
-
net stop fwsrv
-
net start fwsrv
For more information, see your TMG Server documentation.
43.7 Removing Access Manager Filters Before WebGate Uninstall on TMG Server
If you plan to uninstall the Webgate that is configured to operate with the TMG Server, you must first unregister the Access Manager filters manually, and then uninstall Webgate.
To unregister filters before WebGate uninstall: