Threat Management Gateway Service Pack 2 now available

by Shijaz Abdulla on 10.10.2011 at 21:31

Microsoft Forefront Threat Management Gateway 2010 Service Pack 2 is now available for download.

The service pack includes the following new functionality and feature improvements:

New Reports

  • The new Site Activity report displays a report showing the data transfer between users and specific websites for any user.

Error Pages

  • A new look and feel has been created for error pages.
  • Error pages can be more easily customized and can include embedded objects.

Kerberos Authentication

  • You can now use Kerberos authentication when you deploy an array using network load balancing (NLB).

To read the release notes, see the Forefront TMG Release Notes (SP2).

Forefront Endpoint Protection now bundled in the Core CAL Suite

by Shijaz Abdulla on 04.05.2011 at 17:29

Forefront Endpoint Protection, the best-in-class anti-malware solution from Microsoft for clients and servers, is now bundled with the Core CAL suite.

If your organization already has a licensing agreement that includes the Core CAL suite, you are licensed to use the Forefront Endpoint Protection under the licensing terms and conditions.

“RPC Server Unavailable” error while requesting IP-HTTPS certificate on UAG

by Shijaz Abdulla on 09.01.2011 at 20:30

If your enabling DirectAccess on Forefront Unified Gateway in a lab, and you try to request an IP-HTTPS certificate for the UAG machine from your Enterprise CA, you might run into the following error:

“RPC Server Unavailable 0x800706ba”

This is because Forefront Unified Access Gateway is already installed on the machine, and TMG (Threat Management Gateway) is blocking DCOM/RPC traffic that is required to request a certificate using the MMC snap-in.

To avoid this issue, Tom Shinder’s documentation suggests that you request the IP-HTTPS certificate before you install UAG.

However, if you have already installed UAG, follow these steps to request and install the IP-HTTPS certificate:

1. Open Notepad, and paste the following code to make the INF file for the request. The only text that may need to be changed are in red.

Signature="$Windows NT$"

Subject = "" ; (Replace the subject name with the external FQDN of your UAG server)
Exportable = FALSE
KeyLength = 2048
KeySpec = 1
KeyUsage = 0xA0
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = CMC


CertificateTemplate = WebServer2008

Replace WebServer2008 with the name of your IP-HTTPS certificate template.

1. Run Command Prompt as Administrator

2. Convert the INF file to a request file (.req)
certreq  –new  ip-https.inf  ip-https.req

3. Copy the request file to your CA server (or any server that has unrestricted access to the CA machine)

4. Go to the CA server, open Command Prompt as Administrator

5. Submit the REQ file to the CA
certreq  –submit  IP-HTTPS.req

6. Choose the CA in the popup window.


7. Save the file as IP-HTTPS.CER when prompted.

10. Copy the IP-HTTPS.CER file back to the UAG machine.

11. On the UAG machine, open the Command prompt as Administrator

12. Type:
certreq  –accept  IP-HTTPS.cer

This will add the certificate to the local store.

13. (optional) Open the Certificates MMC for Local Computer. Open Properties for the certificate. Give a Friendly Name “IP-HTTPS Certificate” and click OK.

If you’re looking to test DirectAccess scenarios, I highly recommend that you check out Dr. Tom Shinder’s test lab guides published on the Microsoft website.

TechEd 2010 Video: Secure Remote Access with UAG and DirectAccess

by Shijaz Abdulla on 06.01.2011 at 20:04

I realized that the video of my TechEd 2010 session on Forefront Unified Access Gateway and DirectAccess is available online.

You can watch it on the TechEd website. As of now the video doesn’t seem to load, so there is the option to download the WMV video.

I will back again at TechEd this year insha Allah with another session on UAG. Stay tuned Smile

Forefront Endpoint Protection 2010 released!

by Shijaz Abdulla on 20.12.2010 at 02:27

Microsoft Forefront Endpoint Protection (FEP) has been released to manufacturing (RTM) on December 16, 2010. The licensed version of the product will be available on the Volume Licensing website, starting January 1, 2011.

For more information on FEP, visit the FEP website.

Multi-server management console for Forefront Protection for Exchange & SharePoint

by Shijaz Abdulla on 20.12.2010 at 02:14

The Forefront Protection Server Management Console 2010 (FPSMC) has been released to web on December 17, 2010.

Forefront Protection Server Management Console 2010 (FPSMC) is the multi-server management solution that is designed to manage Forefront Protection for Exchange (FPE) and Forefront Protection for SharePoint (FPSP) servers within the organization. FPSMC is a refresh of the Forefront Server Security Management Console that is currently available to manage Forefront Security for Exchange Server 2007, Forefront Security for SharePoint 2007 and Antigen 9 products.

FPSMC is a free download that does not require any additional licensing. For deployment and operations guidance, refer to the FPSMC articles on TechNet.

screenshot courtesy: svenska’s blog

Multi-server management for Forefront Protection for Exchange

by Shijaz Abdulla on 11.08.2010 at 10:25

You can now manage multiple servers running Forefront Protection for Exchange or SharePoint thanks to the multi-server management Script Kit.

You can download the script kit for free at the Microsoft Download Center, subject to acceptance of license terms.

In addition to the ability to manage multiple Forefront Protection Servers from a single location, this tool provides easily extensible command-line scripts that help enable server discovery, configuration deployment, and integration with existing management technologies. It also offers basic reporting capabilities to detect configuration drift and monitor server statistics.

Configuration Management and Reporting

  • Capture server configuration snapshots and push snapshots to any number of servers
  • Compare configuration of any number of servers or baselines
  • Obtain statistics from one or many servers, including information about infected files, detected malware, server health, and more
  • See summary and/or server detail views

Ease of Use

  • Discover Forefront Protection Servers and export information to a .CSV file
  • Use customizable Windows PowerShell™ scripts to enhance your existing automation

Forefront Protection for Exchange – Still Number One!

by Shijaz Abdulla on 02.07.2010 at 00:15

The July 2010 issue of the VirusBulletin issued today has another comparative report on anti-spam solutions.

In the latest comparative report, Microsoft Forefront Protection for Exchange still leads the competition with the highest spam catch detection rate and the lowest (zero) false positives rate. This is the third consecutive time that Microsoft Forefront Protection for Exchange got the highest final score in the VBspam comparative report.


In this report (and also in the previous reports), Microsoft Forefront Protection for Exchange has shown remarkably better capabilities compared to Symantec, McAfee, Kaspersky, and other competitive solutions.

Quote from the VBspam report:

With the second best spam catch rate overall and just a handful of false positives on the last occasion, Microsoft’s Forefront Protection 2010 for Exchange Server seemed unlikely to improve on its past performance in this test. However, the product still managed to do that and a stunning spam catch rate of 99.96% combined with a total lack of false positives not only wins the product its sixth consecutive VBSpam award, but also gives it the highest final score for the third time in a row.

VirusBulletin’s detailed comparative reports can be downloaded by subscribers from

Do you already have Forefront Protection for Exchange?
It’s likely you already own the licenses for this award-winning anti-spam solution and you’re not aware of it.

  • If you run Exchange Server in your organization and you own Exchange Enterprise CALs for your users, then you are already licensed to use Forefront Protection for Exchange
  • If you have the Enterprise CAL Suite, you are already licensed to use Forefront Protection for Exchange
  • If you have the Forefront Security Suite in your license agreement, you are already licensed to use Forefront Protection for Exchange.

For more information, speak to your Microsoft account manager.

TMG or UAG? Which one do I need?

by Shijaz Abdulla on 30.06.2010 at 15:20

Of late, I have seen that a lot of customers and even partners are confused between the capabilities of Forefront Threat Management Gateway (TMG) and Forefront Unified Access Gateway (UAG).

The most important difference is that TMG is an “inbound AND outbound” access gateway that includes a network level firewall with stateful packet inspection & application filtering, forward and reverse web proxy, VPN server (for users and site-to-site). TMG is more focused on keeping the bad guys out and to a certain extent, allowing good guys in. On the other hand, UAG is an “inbound-only” secure remote access gateway that enables you to allow "the good guys” in more securely.

I need TMG if:

  • I need an inbound and outbound access gateway
  • I need a state-of-the-art firewall with stateful packet inspection and application filtering capabilities to protect my network
  • I need built-in IPS (Intrusion Prevention System) on that firewall
  • I need a secure forward proxy for users on my network to access the internet
  • I need to be able to do web filtering based on individual URLs or URL categories (like Politics, Sports, Pornography, etc)
  • I need to be able to monitor my user’s web activity and firewall logging.
  • I need to be able to block unproductive websites and services (like IM, P2P, video sharing, etc)
  • I need to protect my users from web-based threats (web antivirus, web antimalware, block malicious websites)
  • I need Forward HTTPS inspection to protect users against web threats that are hidden inside HTTPS
  • I need to publish (reverse proxy) services to the internet (like web servers, email servers, webmail, extranet, intranet and internet portals, etc)
  • I need SSL bridging to protect my publish servers against threats embedded inside SSL
  • I need zero day protection from vulnerabilities that do not have a patch released yet (NIS)
  • I need site-to-site VPN
  • I need a VPN server for my users in addition to all the above

I need UAG if:

  • I need an ‘inbound only’ access gateway
  • I need to enable my users to securely access internal resources remotely (while they are outside the company network)
  • I need to enable Secure VPN access for users when they are outside my network
  • I need to quickly and easily enable DirectAccess for my Windows 7 users
  • I need to ensure only healthy and secure remote machines can access information/services/applications in my network with appropriate user authentication
  • I need to be able to define which applications or services these users can access and granularly define the security policies that will govern access to these services remotely
  • I need to ensure that these users can access these applications regardless of whether they are web-based, terminal services, RemoteApp or Citrix without having to establish VPN connection.
  • I need to give my users the ability to access these applications from a mobile device, or a non-Windows client such as a Mac or a Linux machine.
  • I need to provide a web-based interface that the user can login remotely and execute these applications from this portal without connecting VPN, provided his machine is healthy.
  • I need to provide a web-based interface that the user can login remotely and establish a secure SSTP VPN session or access file servers from the portal without connecting VPN, provided his machine passes the health requirements of my organization.
  • I need to be able to easily define the security/machine health policies for machines that are attempting to access these applications.
  • I have smaller remote sites where I have small numbers of users with no site-to-site VPN and just an internet connection. I need to provide them secure access to my applications over the internet.

As you can see, each product is specialized to deliver very focused capabilities. Hence it is quite possible that some organizations need both solutions while others need only one. For many smaller organizations which need a one-product solution to protect their network and provide reasonably secure remote access, TMG would be the answer. However, for designs that focus purely on inbound access, UAG needs to be considered. If an organization has separate TMG/ISA Server arrays – one for inbound access and another for outbound access – the solution is simple – use a UAG array instead for inbound access and continue using TMG for the outbound array.

Forefront Threat Management Gateway Service Pack 1 released

by Shijaz Abdulla on 24.06.2010 at 11:50

This is a repost from the TMG Team Blog.

Microsoft® Forefront Threat Management Gateway (TMG) 2010 Service Pack 1 (SP1) got released on 23rd June 2010.

Microsoft® Forefront Threat Management Gateway (TMG) 2010 Service Pack 1 (SP1) introduces following new features and functionality to Forefront TMG 2010 Standard and Enterprise Editions.

New Reports

  • The new User Activity report displays the sites and site categories accessed by any user.
  • All Forefront TMG reports have a new look and feel.

Enhancements to URL Filtering

  • You can now allow users to override the access restriction on sites blocked by URL filtering. This allows for a more flexible web access policy, in that users can decide for themselves whether to access a blocked site. This is especially useful for websites that have been incorrectly categorized.
  • You can now override the categorization of a URL on the enterprise level; the override is then effective for each enterprise-joined array.
  • Denial notification pages can now be customized for your organization’s needs.

Enhanced Branch Office Support

  • Collocation of Forefront TMG and a domain controller on the same server, which can help reduce the total cost of ownership at branch offices.
  • When installed on a computer running Windows Server 2008 R2, SP1 simplifies the deployment of Branch Cache at the branch office, using Forefront TMG as the Hosted Cache server.

Support for publishing SharePoint 2010

  • Forefront TMG SP1 supports secure publishing of SharePoint 2010.

Additional resources:

< Previous posts