Normally, organization use hardware firewall (Checkpoint, Cisco ASA, and Juniper) to secure their network (This has been the trend over last ten years). Due to some limitations of networking features in previous versions of Microsoft Firewall (ISA Server 2004/2006), large organizations used hardware firewall at the edge of network. Forefront TMG 2010 Server can fit many roles within organizations, such as Edge firewall, VPN Server, Secure Web Gateway, forward proxy, reverse-proxy and many more. Therefore, in many deployment scenarios, Forefront TMG 2010 is used solely for forward and reverse proxy functionality. In these configurations, Forefront TMG 2010 Server is typically deployed in the perimeter (DMZ) network of an existing firewall (Cisco ASA) for extra layer of protection to the web related services such as Web Server, Secure Web Server, Exchange Outlook Web access from external intrusion and attack.
In this scenario we install Forefront TMG 2010 Server on a computer with a single network adapter. Forefront TMG 2010 Server Reverse Proxy makes it possible to secure the web related services through a logical construct known as a Web Publishing Rule. A Web Publishing rule is a firewall policy rule that uses specific filters to monitor web traffic and force that traffic to confirm to specific conventions. For example, Publish Web sites using as the public name instead of IP address, restrict access to particular subdirectory, Bridging feature, Setting the maximum payload length, which guards against attacks involving large amounts of data submitted to databases or Web servers in an HTTP POST request, blocking responses containing Windows executable content such as (.vbs,.exe,.ida,.com) etc.,setting the exact HTTP methods that you want to allow to the published Web site and block all others. For example Block the HTTP PUT method.
Perform the following steps to configure Publishing a Web Server Using HTTP Protocol using Port Redirection (Bridging):
Step 1. Create a Web listener for use in Publishing a Web Server Using HTTP Protocol
Step 2. Create a Web Publishing Rule using Port redirection (Bridging)
Step 3. Optional Configuration (but very Important)
The Web listener can be created independently (as in this task), or during creation of a Web Publishing rule.
Step 1. Create a Web listener for use in Publishing a Web Server Using HTTP Protocol
1. In the Forefront TMG Management console, click the
Firewall Policy Console node.
2. In the Right pane, click the
Toolbox tab. Expand
Network Objects, Click on
New Tab and then select
Web Listener.
3. On the Welcome to New Web Listener Wizard page, type
External to DMZ (HTTP) in the Name box, and then click
Next.
4. On the client Connections Security page,
select Do not require SSL Secured Connections with clients and click
Next.
5. On the Web Listener IP Addresses page,
select All Networks (and Local Host) as the adapter that will listen for incoming Web requests on these networks.
( Note: We are using TMG Server with single NIC)
6. On the Authentication Settings page,
select No Authentication in the drop-down list option and click
Next.
7. On the Single Sign On Settings page, click
Next.
8. On Completing the New Web Listener Wizard page, Click
Finish.
9. Click
Apply To save changes and update the configuration, click
Apply Saving Configuration Changes and then click
OK.
Step 2. Create a Web Publishing Rule.
1. In the Forefront Management console, click the
Firewall Policy node. In the right pane, click the
Tasks tab and then
click Publish Web Sites.
2. On the Welcome to the New Web Publishing Rule Wizard page, type
Publishing MSSERVER WEB SITE and click
Next.
3. On the Select Rule Action page,
select Allow and click
Next.
4. On the Publishing Type page,
select Publish a single Web site or load balancer and click
Next.
5. On the Server Connection Security page,
select Use non-secured connections to connect the published Web server or server farm and click
Next.
6. On the Internal Publishing Details page, type
www.msserverpro.com in the Internal site name, and then
select the check box Use a computer name or IP addresses to connect to the published server and
specify the Internal server’s IP Address 192.168.10.15 and then click
Next.
7. On the Internal Publishing Details page, type
/* in Path (optional) to allow access to all of the content for the site
www.msserverpro.com without any restriction to any specific folders in the site and
select the check box Forward of the original host header instead of the actual one specified in the Internal site name field on the previous page and then click
Next.
8. On the Public Name Details page, accept the default to only accept requests for This domain name, and type
www.msserverpro.com in the
Public name and click
Next.
9. On the Select Web Listener page, select
External to DMZ (HTTP), and then click
Next. This Web listener was created in the
STEP 1.
10. On the Authentication Delegation page, leave the default authentication option and then click
Next. In our scenario, we have
select No Authentication in Web Listener and site can be accessed by anyone.
11. On the Users Sets page, accept the default
All Users because this is the Public Web site Portal and my goal is that everyone should be able to access it without authentication and then click
Next.
12. On the Completing the New Web Publishing Rule Wizard page, review the configuration and click
Finish.
13. Click
Apply To save changes and update the configuration, click
Apply Saving Configuration Changes and then click
OK.
14. Double-click on Publishing MSSERVERPRO SITE just we have created, click
Bridging Tab and
change the HTTP Port 8010 because MSSERVERPRO Internal Web Server is using a port other than
Port 80.Then click
Apply and click
Test Rule to check the publishing rule is working properly.
Step 3. Optional Configuration:
Now our Publishing MSSERVERPRO Web server is working. But this is the optional configuration.
1. Copy the Publishing MSSERVERPRO WEB SITE rule and
Paste it.

2.
Double-click the new paste Publishing MSSERVERPRO WEB SITE rule,
rename the Publishing rule, click on
Public Name Tab,
edit the
www.msserverpro.com to
msserverpro.com.
3. On the Publishing MSSERVERPRO WEB SITE Properties dialog box, click
Action Tab,
select deny radio button and
select the check box Redirect HTTP requests to this Web page, type
http://www.msserverpro.com then click
Apply and click
OK.
4. Then
configure HTTP filtering to control HTTP Methods, block Windows executable content, Extensions, Modify Headers etc.
5. Apart from this, this is not related with Web Publishing rule; we have to customize the
Flood Mitigation settings to more secure to our web server.
6. Lastly,
Network Inspections System (NIS) must be updated with latest signatures. NIS uses signatures of known vulnerabilities from the Microsoft Malware Protection Center.
Summary:
TMG encompasses all layers of protection provided by hardware firewall as well as advanced protection features employing Reverse Proxy and inspections according to the policy set forth.
Great stuff,your article was a big help to understand the deploying of the TMG