TMG specific limitations, considerations and requirements

I was building a TMG 2010 architecture for one of my customers and during this period I consolidated some of the limitations and considerations in specific scenarios. This article is a one place summary for them:

Single network adapter functionality:

The single network adapter topology enables limited Forefront TMG functionality, that includes:

  • Forward (CERN) proxy for HTTP, HTTPS, and CERN proxy FTP (download only).
  • Web caching for HTTP and CERN proxy FTP.
  • The following Web publishing scenarios:
    • Web publishing.
    • HTTP-based communications, such as Microsoft Office SharePoint Server, Exchange Outlook Web Access 2007, ActiveSync®, and remote procedure call (RPC) over HTTP (Outlook Anywhere, Terminal Services Gateway or WSMAN-based traffic).
  • Dial-in client virtual private network (VPN) access.

Limitations of a single network adapter topology:

The following limitations apply when you use the single network adapter topology:

  • Server publishing and site-to-site VPN are not supported.
  • SecureNAT and Forefront TMG Client traffic are not supported.
  • Access rules must be configured with source addresses that use only internal IP addresses.
  • Firewall policies must not refer to the external network.

Workgroup Considerations:

The following considerations must be taken into account when deploying solution components into a workgroup environment:

  • Enterprise deployments and array deployments in a workgroup environment require additional preparation steps that aren’t required in a domain environment, and require maintaining mirrored accounts on Forefront TMG computers for management purposes.
  • Local accounts that belong to the Administrators group must be maintained on all Forefront TMG servers for management purposes. The accounts must have matching passwords.
  • If web traffic is to be authenticated, one of the following conditions must be met:
    • The credentials of all users must be mirrored on each Forefront TMG server. Any groups used in access rules must also be duplicated across all TMG servers.
    • Forefront TMG servers must be configured as RADIUS clients and RADIUS users and groups used for access control.
  • Domain name suffixes need to be set on all Forefront TMG servers, since they use fully qualified domain names (FQDNs) to communicate with EMS and each other.
  • Only a single EMS can be used for the entire Enterprise, this is because of EMS replication requires Kerberos to authenticate.
  • Automatic web proxy detection using Active Directory is not available (clients can still use DNS, DHCP, automatic configuration scripts or manual configuration).
  • Certificates must be installed to allow Forefront TMG servers to authenticate a remote configuration store.
    • For Enterprise arrays, certificates must be installed on each EMS and the certificate of the root CA installed on every Forefront TMG server.
    • For Stand-alone arrays, certificates must be installed on every Forefront TMG server to allow the “array manager” role to be transferred to any member.
  • If HTTPS inspection is used, the root certificate of the hierarchy used to inspect HTTPS sessions must be manually installed on all web client computers.
  • You can not lock down the Forefront TMG server using Group Policy rather than local policies.
  • You can configure VPN client user mapping to map users of operating systems other than Microsoft Windows to domain user accounts. User mapping is only supported when Forefront TMG is installed in a domain.

Remote management through a firewall":

If you are connecting to Forefront TMG through a firewall for remote management, or as a Forefront TMG protected client, note the following:

  • Remote management, such as, from an Enterprise Management Server (EMS) computer, requires the use of remote procedure call (RPC) for remote server status and service status monitoring.
  • The path from Forefront TMG clients to Forefront TMG must not be port-filtered.

The ports required at the intervening firewall are described in the article Service overview and network port requirements for the Windows Server system (

Authentication considerations:

You should consider the following authentication issues when selecting a domain or workgroup deployment:

  • When access rules require internal clients to authenticate for outbound access, Forefront TMG can authenticate domain user accounts against AD DS. Web proxy requests in a workgroup environment can be authenticated against a RADIUS server.
  • Firewall client requests automatically include user credentials. To authenticate these requests, Forefront TMG should belong to a domain. In a workgroup environment, you can authenticate requests with user accounts that are mirrored to accounts stored in the local Security Accounts Manager (SAM) on the Forefront TMG server, although this requires some administrative overhead for secure management.
  • To authenticate inbound requests to internal Web servers using domain account credentials or certificate authentication, Forefront TMG must belong to a domain. In a workgroup environment, a RADIUS or SecurID server can be used for authentication.
  • To authenticate virtual private network (VPN) requests using domain account credentials or certificates, Forefront TMG must belong to a domain. In a workgroup environment, a RADIUS server can be used for authentication.
  • You can not use TMG for ADFS pre-authentication.

Enterprise Management Servers:

  • EMS is available only for users of Forefront TMG Enterprise Edition; it is not available for users of Forefront TMG Standard Edition.
  • If all EMS are lost, the running policy cannot be reverse-engineered into the EMS-format policy. For this reason, you MUST perform regular policy backups as well as performing a backup prior to any policy change.
  • The first-installed EMS server is the owner of the schema and naming roles. If this server is lost, you cannot make schema changes until these roles are seized by one of the remaining EMS replica. Refer to for details
  • The computer must be connected to the Internet during the installation process.
  • TMG EMS must be installed on a separate system outside of the array.
  • While Forefront TMG servers and arrays can retrieve their configuration from an EMS across a WAN link, monitoring performance (such as viewing Forefront TMG logs) will be poor over a low bandwidth connection. This is because the EMS needs to retrieve server-specific information from the array members themselves and this is performed using a combination of SMB, RPC or DCOM protocols based on Windows remote management API usage.
  • Installation of EMS on Domain Controllers is not supported.


  • Forefront TMG must be deployed in an Edge scenario and the source network(s) must have NAT relationships with the default “External” network.
  • The organization must have two ISPs on unique networks (i.e. the network portion of the IP addresses must be different). Forefront TMG can connect to these either using individual adapters or a single adapter (with two unique network addresses bound).
  • If two network adapters are used to connect to the two ISPs, they should each have a different default gateway pointing to the respective ISP’s nearest router.
  • If two network adapters are used to connect to the two ISPs, the network offload processing configuration must be identical on both adapters. If the settings are not identical, network offload processing will be disabled on both adapters.
  • If one network adapter is used to connect to both ISPs, configure two default gateways pointing to the respective ISP’s nearest routers.
  • If both ISPs use DHCP to assign an address, manually add default routes to each ISP in the routing table.
  • ISP-R only works for connections that have a NAT relationship with the default “External” network.
Comments (3)

  1. Anonymous says:

    Regarding "If all EMS are lost, the running policy cannot be reverse-engineered into the EMS-format policy.":

    The running policy actually CAN be reverse-engineered into the EMS-format policy.

    Current array configuration can be exported from array node's registry to XML using script with root.ConnectToLocalStorage. Then this XML file after some modifications can be successfully imported to CSS.

    I tested this method after the only TMG EMS server was lost and no configuration backup was available.

    I described it in details here…/retrieve-current-TMG-configuration-from-array-node-registry.html

  2. David says:

    "EMS is available only for users of Forefront TMG Enterprise Edition; it is not available for users of Forefront TMG Standard Edition".

    Someone at this blog say sometime different:…/TMG-Enterprise-Arrays-Explained.html

    "One of the lesser-known features of TMG Enterprise Edition is the ability to manage TMG Standard Edition firewalls. This will greatly simplify management for environments that deploy a mix of TMG Standard and Enterprise edition firewalls."

    Where is the truth? 🙂


  3. jkl says:

    Both is truth.  😉

    With an Enterprise TMG EMS you are able to manage Standard TMGs.

Skip to main content