TMG post deployment checklist

Today, more and more people deploying Forefront TMG for various business needs are approaching us, asking for a methodical post deployment sanity test checklist. Forefront TMG is packed full with new and existing features that need to be verified when deployment is completed.

In this post I’ll list Forefront TMG SWG (Secure Web Gateway) features, and how to check and validate functionality for each feature after you deploy Forefront TMG and before you put it in full production. 


SWG - Secure Web Gateway

Forward Web proxy


Figure 1 - IE proxy settings



Test steps:

  1. Point a client browser to your proxy server (See Figure 1, for one of the methods to do this).
  2. Browse to and confirm your proxy and external IP settings.
  3. Browse to - You should go through your proxy when the ‘bypass’ flag is turned off on the client browser.
  4. Browse to and conduct a short OWA session.
  5. Browse to well-known websites, such as,, and Make sure they are all responsive and with no distortions.
  6. Download a large file from two different computers. The second computer should download the file much faster as the file should be served from the cache. Check in the log-viewer that this is true.  
  7. Open an FTP connection to You should be able to login and list/download files.
  8. If you don’t create a web-proxy session or fail on any of the above steps, go to “Logs&Reports\Logging” and initiate a query to detect and analyze the traffic from your client machine.
EMP – Enterprise Malware Protection

Figure 2 - Client browser side


  • You have EMP configured


Test steps:

  1. Browse to
  2. Download one of the test virus files using the standard protocol http
  3. EMP should identify the virus and send the client a blocking message, as appears in Figure 2.
  4. Validate this by running a query on the Forefront TMG Log-viewer, filtered by “Malware Inspection result = Infected File”  (see Figure 3)


          Figure 3 – TMG Log-viewer side

Figure 4 – Forefront TMG Update Center view

  • Make sure that the EMP signature definitions are up to date, as shown in Figure 4. Install any updates listed.
HTTPSi – HTTPS Inspection

Figure 5 – Forefront TMG certificate


  • You have HTTPSi and EMP configured
  • You have destination or source exemptions configured.
  • You have the latest TMGC (Forefront TMG client that supports HTTPSi notofications) deployed.


Test steps:

  • Eicar has SSL test signatures so that you can test HTTPSi and EMP
  1. Browse to - to check that EMP is working and scanning the traffic over the SSL channel.
  2. Download one of the test virus files using the secure, SSL enabled protocol https.
  3. EMP should identify the virus and send the client browser a notification.
  4. Browse to an SSL website and check that the certificate is from TMG (as shown in Figure 5).

Figure  6 – Website security warning for a non-trusted certificate

  • Check that the client workstation does trust the certificate that TMG is using when trying to get a secured website. This ensures that clients don’t see the Certificate Error page shown in Figure 6. If the Certificate Error page appears, the certificate is not properly deployed to the client machine.
  • Validate exceptions for HTTPS Inspection, either for the source or for the destination. Do this by browsing to a Web site that is excluded or by browsing from a computer that is excluded and verify that the certificate is not from TMG.
  • Run a query on the Forefront TMG Log-viewer filtered by “Malware Inspection result = Infected File” and the time of the request. Check that the Destination Port and Protocol are 443 & https-inspect respectively (see Figure 7).


           Figure 7 – Forefront TMG Log-viewer

Figure 8 – Forefront TMGC HTTPSi notification

  • Check that the HTTPS Inspection client notification is being sent to the client machine (you need to have TMG client installed), as shown in Figure 8, upon requesting a non-excluded SSL website.
URLF - URL Filtering

Figure 9 – URLF blocking page


  • URLF is configured
  • You have overridden a URLF Category for a specific website.


Test steps:

  1. Browse to sites that should be blocked by URLF depending on your configuration. Confirm that the user is getting the correct custom message (an example is shown in Figure 9) or being redirected according to the policy (or check the default message).
  2. Browse to a site that has a category override and make sure that it is allowed or blocked depending on the configuration.
  3. Check that you can run a query from the URLF UI.
  4. Check that you can query and report classification issues to Microsoft from MRS (Microsoft Reputation Service) website.
  5. TMG Log-viewer: run a query filtered using the “Blocked Web Destinations” rule and make sure the URL Category detected is correct (see Figure 10).


          Figure 10 – TMG Log-viewer URLF query 

NIS – Network Inspection System

Figure 11 – NIS blocking page


  • You have NIS configured


Test steps:

  1. Enter the following test signature URL in your client web browser to test NIS. If NIS is working, the attempt to open the website should be blocked by TMG with a TMG generated message, as illustrated in Figure 11.
  2. Confirm that you get an alert on signature detection or block (see Figure 12):clip_image024

          Figure 12 -  TMG alert upon blocking signature

    3.  Run a query in the TMG Log-viewer, filtered by “NIS scan result = Blocked” and confirm detection.


         Figure 13 – TMG Log-viewer query result for blocked signatures

Figure 14 – TMG IPS\NIS UI

  • Check that you get signature updates in TMG IPS (Intrusion Prevention System)\NIS UI, as shown in Figure 14.



This blog post describes the post deployment checklist for SWG (Secure Web Gateway) features - It is not a deployment/troubleshooting guide.

Features covered here for sanity testing are Forward Proxy, EMP (Enterprise Malware Protection), URLF (URL Filtering), HTTPSi (HTTPS Inspection) and NIS (Network Inspection System).

With the same subject, in the next post, we’ll cover other Forefront TMG features for the sanity test checklist, such as Reverse proxy (web-publishing), VPN (both SSTP & PPTP), Setup, Upgrade, ISPR (ISP Redundancy), Reporting, ENAT (Enhanced NAT), EMS (Enterprise Management Server) and Stirling connectivity.



Gabriel Koren

Microsoft Forefront TMG test team



Gershon Levitz, James Kilner

Comments (0)

Skip to main content