Forefront TMG and Windows® 7 DirectAccess


DirectAccess is a new feature in the Windows® 7 and Windows Server® 2008 R2 operating systems that gives users the experience of being seamlessly connected to their corporate network any time they have Internet access. With DirectAccess, users are able to access corporate resources (such as e-mail servers, shared folders, or intranet Web sites) securely without connecting to a virtual private network (VPN).

Forefront Threat Management Gateway (TMG) can be installed on the DirectAccess server to provide an additional layer of protection and to enable the use of additional Forefront TMG technologies (e.g. full IPV4 firewall or Secure Web Publishing) for non DirectAccess capable machines.

Deploying Forefront TMG on a DirectAccess Server

DirectAccess traffic is IPv6-based; since by default Forefront TMG does not accept any IPv6 traffic or allows it to pass through it, the following traffic will be allowed in order to support DirectAccess traffic:

· Inbound authenticated IPv6 traffic (using IPSec). This also includes the IPSec initiation traffic.

· Inbound and outbound IPv6 transition technologies (6to4, Teredo, IP-HTTPS and ISATAP).

· Native IPv6 from the Forefront TMG machine.

In addition, Forefront TMG integrates with the IPSec Denial of Service Protection (DoSP) component of Windows DirectAccess to ensure that only IPSec traffic is allowed through it. For this reason, it is important to configure DirectAccess before installing Forefront TMG.

Configure and verify Windows DirectAccess

Install Windows Server® 2008 R2 on the server and configure DirectAccess as described in the DirectAccess Early Adopter’s guide.

Since DirectAccess configuration involves multiple technologies and servers, it is highly recommended to verify that DirectAccess has been configured and is working properly before continuing to install Forefront TMG.

Install Forefront TMG

By default Forefront TMG disables various IPv6 transition technologies in Windows. In order to prevent Forefront TMG Setup from doing this, create the following .reg file and import it to the registry:


Windows Registry Editor Version 5.00




After the key has been imported, install Forefront TMG.

Please note that once Forefront TMG is installed it takes control of the Windows Firewall’s firewall category to prevent the existence of duplicate policies on the same machine. If you open the “Windows Firewall with Advanced Security” console you will see a warning similar to the one below:


Enable DirectAccess support in Forefront TMG

In order to enable DirectAccess support in Forefront TMG, create and run the following script:


set o = createobject("fpc.root")

set arr = o.Arrays.Item(1)

set policy = arr.ArrayPolicy

set IPV6Settings = policy.IPv6Settings

IPV6Settings.DirectAccessEnabled = vbTrue


After Forefront TMG synchronizes to the new configuration, the following changes take place:

1. IPv6 infrastructure and transition technologies to and from Forefront TMG are allowed by enabling the relevant rules in the Forefront TMG system policy (rules 48-51 in the screenshot below).

2. Forefront TMG routes authenticated IPv6 traffic through it.

Advanced configuration

Forefront TMG can be installed and configured on a standalone Windows 2008 R2 server running the DirectAccess role. A comprehensive DirectAccess solution is provided by Forefront Unified Access Gateway (UAG), which incorporates Forefront TMG and leverages Forefront TMG’s capabilities. The Forefront UAG DirectAccess Scenario provides the following advantages:

· Scalability

· High availability

· Access to corporate legacy servers over IPv4

· Easier configuration, deployment, and management

· Forefront UAG installs Forefront TMG on each node during Setup

· Alternative remote access solution for non domain joined machines

Additional questions

Q. What if I already have Forefront TMG installed and want to configure DirectAccess?

A. It is recommended that you disable the Forefront TMG driver (by running “net stop fweng” in a command shell) before running the DirectAccess wizard. This will prevent Forefront TMG from interfering with the DirectAccess configuration process.

After DirectAccess is configured and tested, start the “Microsoft Forefront TMG firewall” service (or run “net start wspsrv” in a command shell).

Please note that while the Forefront TMG driver is disabled, Forefront TMG does not provide any protection to the machine. During that time Windows Firewall regains control of the firewall functionality.

Q. Can I install Forefront TMG between the internet and my DirectAccess server?

A. Yes. The DirectAccess Early Adopter’s guide contains a section titled “Firewall Exception” that provides instructions on what protocols should be enabled in order to allow the DirectAccess server to function correctly in this setup.

Q. Can I install Forefront TMG between the DirectAccess server and my internal network?

A. Since Forefront TMG does not yet contain full IPv6 support, this will only work if ISATAP is used for IPv6 traffic on the internal network. In addition, end to end IPSec can also prevent Forefront TMG from working properly.

Q. Can I configure IP-HTTPS and Forefront TMG SSL publishing on the same machine?

A. Both IP-HTTPS and Forefront TMG SSL publishing use port 443 (HTTPS). In order to prevent a port conflict you need to make sure that IP-HTTPS is configured to listen to a different IP address than Forefront TMG.

This can be done by running the following command: “netsh http add iplisten ipaddress=<non-conflicting IP address>”


Ori Yosefi, Senior Program Manager, Forefront Threat Management Gateway

Reviewers: Yaron Zakai Or, Nitzan Daube, Alon Yardeni, Gabriel Koren, and Rachel Aldam.