Forefront TMG 2010 Web Protection Services Licensing


Forefront TMG 2010 adds two new subscription-based features, known collectively as Forefront TMG Web Protection Services (WPS). These features include URL Filtering (URLF) and Anti-Malware or Enhanced Malware Protection (AM or EMP). One thing that makes these features unique within Forefront TMG is that they are licensed separately from Forefront TMG itself. This blog will discuss the various licensing and purchasing options available for URLF and EMP subscriptions and guide you through managing the license details in Forefront TMG management.


WPS Purchasing and Pricing

The first thing most people want to know is “How do I get a Forefront TMG WPS license and how much does it cost?”

Forefront TMG WPS is subscription product licensed per user or per device.  This subscription is only offered through Microsoft Volume Licensing programs, and must be purchased separately from Forefront TMG 2010. Forefront TMG WPS is included in Forefront Protection Suite and ECAL.  You can find information on purchasing Forefront TMG WPS through Microsoft or a Microsoft partner at

The Forefront TMG WPS pricing structure is outlined in

UPDATE: we've received a number of request for clarification on what is to be entered in the "key" field when activating your WPS license.  This field receives the number that represents your Enterprise Agreement (EA).  If your EA number is longer than seven digits, enter only the first seven digits of the EA number in the "key" field. 

Verifying the Evaluation License

You may want to take advantage of Forefront TMG WPS while you wait for your license to arrive; or perhaps you want to give WPS a test drive before you decide whether you want to purchase a license. Regardless, TMG provides a free 120-day trial subscription that goes into effect as soon as you deploy Forefront TMG 2010.


Using the Getting Started Wizard (GSW)

The Getting Started Wizard (GSW) provides one way to configure these options. During this process, you can choose to enable HTTPS Inspection, URLF and EMP as well as whether to use the evaluation license (selected by default). The following steps show you where you make these choices in the GSW.

Note: if the TMG computer is a member of an array, the GSW is not available. In this case, you must use the Without the GSW steps


Immediately after FOREFRONT TMG Installation

When the installation wizard completes successfully, you are offered the option to launch the Forefront TMG management console. Select Launch Forefront TMG Management when this wizard closes and click Finish as shown below:


Figure 1- GSW TMG management startup

1.       When the Forefront TMG management console opens, the GSW appears. Proceed through the Configure Network Settings and Configure System Settings wizards

2.       When the Configure System Settings wizard completes, click on Define Deployment Options as shown below:


Figure 2 - GSW deployment options

3.       In the Welcome to the Deployment Wizard page, click Next

4.       In the Microsoft Update Setup page, select Use the Microsoft Update service to check for updates (recommended) and click Next

5.       In the Forefront TMG Protection Features Settings page Web protection area, make the following selections as shown below and click Next:


Figure 3 - GSW Web protection license

Note: as shown above, Forefront TMG automatically enables the evaluation license and sets the expiration data for 120 days from the installation date, regardless whether you enabled Forefront TMG WSP. If you already have your Forefront TMG WPS subscription license, you should change the license options using your license key (Enterprise Agreement number) and EA expiration date as shown below:


Figure 4 - Entering the license in GSW

6.       Continue through the remaining Deployment Options Wizard pages using options appropriate to your environment


After Running The GSW

If the GSW has already been run, but Forefront TMG is not yet joined to an array, you can still use the GSW to perform these tasks.

1.       Open the Forefront TMG management console

2.       In the left pane, select <ArrayName>

3.       In the right pane, click Launch Getting Started Wizard

4.       When the Getting started Wizard appears, click on Define Deployment Options as shown below:


Figure 5 - Re-running the GSW

5.       Continue with step (4) in Immediately After TMG Installation


Without the GSW

If you joined Forefront TMG to an array, the GSW isn’t available to configure Forefront TMG WSP licensing. In this case, you need to accomplish this task in a different way.

Note: because the same license information applies equally to URLF and EMP, this task only needs to be performed once; not once for each feature.

1.       Open the Forefront TMG management console

2.       In the left pane,

3.       Expand

a.       (Enterprise Edition) Arrays, then <ArrayName>

b.       (Standard Edition) <ArrayName>

4.       Select Web Access Policy

5.       In the right pane, click  Configure Malware Inspection

6.       In the Malware Inspection page, click License Details.

7.       In the License Details page, you will see that the license is “Evaluation” as shown below:


Figure 6- License details in Malware Inspection controls

8.       If you want to activate your license, enter the Enterprise Agreement number and expiration date in the fields provided as shown below:


Figure 7 - Entering license details in MI control

9.       Click Apply, then OK


All done

In the center pane, click Apply to enforce your new policy. When prompted, enter a description for this change (hey - the URL for this blog could work) and click OK


Monitoring License State

Something the Forefront TMG product team foresaw is the need for the Forefront TMG administrator to get advance warning that the Forefront TMG WPS license is nearing expiration or that it has already expired. Thus, they created two new alerts specific to this feature set as shown below:


Figure 8 - License alerts

·         License Expired this error alert is triggered when the Forefront TMG WPS license expiration date has passed. At this point, Forefront TMG is no longer receiving EMP updates nor is it issuing MRS queries.

·         License Nearing Expiration this warning alert is triggered when the current date is within one month of the expiration date. Forefront TMG continues to obtain EMP updates and issue MRS queries until the license actually expires.

These two alerts are enabled by default and both are configured to write an event to the Windows Application event log when they are triggered. This makes it possible for any standard server monitoring system to be monitor for these alerts and thus make you aware when you need to take action regarding your license.

If your license has expired, and you attempt to initiate an update cycle from the Update Center in Forefront TMG management, this action will result in the warning message shown below:


Figure 9 - Update Center license expired warning

If you click Yes, Forefront TMG will attempt to perform an update cycle for NIS signatures only.



By default, Forefront TMG provides and enables an evaluation license for Forefront TMG WPS that expires 120 days after installing Forefront TMG; not 120 days after you enable EMP or URLF. Forefront TMG provides two alerts relevant to Forefront TMG WPS licensing that also write to the Windows Application event log. Finally, changing and verifying your Forefront TMG WPS license details is as simple as a few mouse clicks.


Jim Harrison, Program Manager, Forefront TMG

Adwait Joshi, Senior Product Manager, Identity & Security BG
Brita Jenquin, Senior Product Manager, Identity & Security BG

Comments (32)
  1. Anonymous says:


    Thanks for this posting which helped me solve our Web Protection Activation problem. Note that TMG refused to accept the use of the first seven digits of our Enterprise Agreement number, but that our Enrollment Number (7 digits) did work.



  2. It is not possible to extend the eval license.

    We've updated the blog to clarify what data is to be entered in what fields to active the WPS license.

    sorry for any confusion…

  3. Anonymous says:

    Hi Balmeri, a CAL is a Client Access License. If you have more users than Devices then go with Device CALs. Imagine a call center type environment where multiple shifts come in and share the same workstation. So imagine 400 users using 200 devices across multiple shifts. Having Device CALs allows you to buy a single  CAL for each device even if 2 users log on to it on different shifts. In the same scenario, if you purchase user CALs, you will need to buy 400 user CALs instead of just the 200. CAL generally cost the same, so you quickly see the potential in savings. On the flip side, if you have 1 user accessing multiple devices (Desktop, laptop and a smartphone) you can get away with purchasing 1 User CAL instead of 3 Device CALs. I hope that makes sense.

  4. khemarin Set says:


    I'm using Forefront Threat Management Gateway 2010 as my production environment. I was downloaded the trial software. Now it is expired date. I want to activation the key. It is required to reinstall TMG 2010. Do you have any solution without reinstall? I'm looking to hearing from you.


    Khemarin Set

  5. DF says:

    It is any posibility to extend the evaluation license?

  6. Tom Klose says:

    No one, even Microsoft licensing can tell you where to get the licsense key and date after you purchase it…..3 weeks wasted so far and the eval expired!

  7. tk says:

    No one, even Microsoft licensing can tell you where to get the licsense key and date after you purchase it…..3 weeks wasted so far and the eval expired!

  8. David Francis says:


    I had great difficulty with MS this morning trying to find out how to get the licence key for WPS. Effectively you need to ring MS Product Activation on 08000 188364, give them your agreement details and they will be able to activate the licences for you. As it is a subscription service, you do not get a VLK in the same way that you normally would. Hope this helps some people wasting time.

  9. ED says:

    What happens if the license expire and you still use the functions? Like URL category filtering..

  10. sundeep says:

    hi..i have contacted many microsoft vendors here in my country, Mauritius, to buy the web protection, and they told me that i can buy it online only, the vendors do not sell this add on.

    can any1 please advise me


  11. Chris Titus says:

    You can order the licences from

  12. DAniel POveda says:

    Hi, I have a question, pls, if I buy for example 300 licenses for tmg web protection services and I use 301 users or devices, is there any consideration? the service will be available for the 301 users? tks

  13. Balmeri says:


    I've a question – can someone explain the difference in functionality between Device or User CAL's.  I'm not sure where I'd need one or other?  I've seen machines listing up as blocked and users – so I've no idea how many of which I need – or is there one I can get where it covers both?  Does it matter – if I buy 3000 device CALs and I've got users going out – does it block?  I'm confused….. help! 🙂


  14. Luna says:

    If the  TMG subscription expire, how t is the grace period that they can use?

  15. Edna says:

    If I dont have an enterprise agreement, but Insted I got it through an Open License, should I put the first or last 7 digits? It only gives you the option to enter 7 digits… but it lett you go fwd to input the date… Can someone help??

  16. M S Ali says:

    We recently renewed our EA and this time we have been given an 8 digit License Agreement Number and the Forefront products including TMG only accepts 7 digit. I belive an Update is in order?

    With Regards,

    M S Ali

  17. Shijin Prasad says:


    Today my WPS is going to expire. I have configured URL blocking some URL's like facebook, personal mail.. for some computer groups in our network. So tommoroow onwards whether this URL Filtering will stop working in our network or this URL filtering is only related to Cloud based?


    Shijin Prasad

  18. George To says:

    Hello, thanks for this posting about the WPS licensing.

    How about server farm environment?  Is it possible/suitable to use TMG with WPS to inspect the incoming/outgoing virus/malware against the Internet web servers?

    If possible?  If we have (say) 5 web servers, all 5 web servers listen to 20 public IP in total,

    then, we need 5 device CAL, or 20 device CAL?

    Thank you very much.

  19. Brian says:

    Our TMG Web Protection has recently expired and now URL filtering has stopped working. I figured that the filtering would still work just without any updates but that's not the case. I'm working on ordering licenses from CDW, but I don't like the fact that Microsoft doesn't give you a little time to purchase licenses when they expire.

  20. Richard Artes says:

    Fantastic article, thanks very much.

  21. nick says:


    We recently bought the eCAL license but can't find the key in the licence portal.

    How can we reveil the key?

  22. techs21 says: -If i purchase one of these, am I able to get my key right away or do I have to register for it? What if I need it ASAP? I don't think this is good.

  23. Bruno Kinoshita says:

    This is the most ridiculous thing I've ever seen.

    The URL filter feature is a must for a Firewall / Proxy.

    The squidguard (Open Source for Linux) is fantastic and maybe even better. And it's free.

    I agree only to pay the Anti-Malware or Enhanced Malware Protection.

  24. Naz2 says:

    I am agree with Bruno, it’s really ridiculous, then for what is TMG and how i can block what is the benifits of TMGGGGGGGGGGGGGG

  25. bchapman255 says:

    Yep, we found out the hard way as well.

    What happens is that EVERY website that goes through a WPS-expired TMG 2010 gets classified as "Unknown."  If you have a firewall or web proxy rule blocking the URL category of "Unknown," then nothing will go through.  If "Unknown" is not blocked, then EVERYTHING will go through.

    To block specific websties (Naz, are you listening? 🙂 ), you have to create a URL set and add each site that you want blocked to that set.  For example, if you want to block Facebook, add "http://*; and "https://*; to the URL set.  

    This is okay if you only want to block specific sites, but what about thousands of sites from specific categories?  Well…only option is to renew the subscription.  Do it through–every other method requires too much bureaucracy…

  26. Jammy Lo says:

    Hotfix Rollup 4 for Microsoft Forefront Protection for Exchange has fix only accepts 7-digit License Agreement numbers issue…/en-us

    Please download and update to RU4,then retry again.

  27. gbenga says:

    does this expired license affect my policies from working..

  28. Babs says:


    We just deployed TMG 2010 about five months ago and we all have little idea of ISA 2006 b4 migrating to TMG. The malware inspection trial license has expired and all the blocked websites are open to all users. Pls can anybody tell me what is responsible for this and what is the way out. Tanx

  29. Abigaille says:

    I have the same question as Babs. Our URL filtering license has expired and Blocked websites are open to all users. This article has links to purchase the license, but they are all broken and our Microsoft resellerr doesn't know anything about this WPS license. Where can I renew our subscription!??

  30. Sokhavot says:

    can you tell me about license of TMG?

  31. Rodrigo Oleriano says:

    of course its possible, just type 7 digitis on the field where is Evaluation, and change the data to whatever year you want!

Comments are closed.

Skip to main content