Release Notes for Forefront Threat Management Gateway

[This topic is pre-release documentation and is subject to change in future releases. Blank topics are included as placeholders.]

These release notes address late-breaking issues and information about Microsoft® Forefront™ Threat Management Gateway (Forefront TMG), Medium Business Edition. It is very important that you review the information contained in this document before installing Forefront TMG.


The following issues relate to deployment of Forefront TMG.

Workgroup support

Installation of Forefront TMG in a workgroup configuration is not supported. Forefront TMG must be a member of a domain.

Forefront TMG Management console

Installation of the Forefront TMG Management console is supported only on Windows Vista® and Windows Server® 2008 operating systems.

IPv6 Support and remote installation

Forefront TMG does not support IPv6. If you install Forefront TMG by using a remote desktop connection from a computer that communicates over IPv6 (the default for Windows Vista), at the end of the installation, the connection to that computer will be closed by Forefront TMG, and the computer will not be added to the Remote Management Computers computer set. It is recommended that if you perform a remote installation of Forefront TMG, you do so over an IPv4 connection.


The following issues relate to the configuration and monitoring of Forefront TMG.


In previous versions of this product (Microsoft Internet Security and Acceleration (ISA) Server 2006 and 2004), the administrator had the option to require 128-bit encryption for HTTPS traffic. This option is no longer necessary and has been removed in this release, as Windows Server 2008 requires at least this level of encryption for Secure Sockets Layer connections.

Internet Protocol security (IPsec)

The default IPsec tunnel mode settings are not suitable for site-to-site virtual private network (VPN) connections between a Forefront TMG computer and an ISA Server 2006 computer, because the servers have different default IPsec settings. Trying to establish a VPN connection between the sites by using the default settings will not succeed.

In such a deployment, be sure to modify the IPsec settings on the Forefront TMG server to match those on the ISA Server 2006 computer.

Joining a domain

When configuring Forefront TMG by using the System Configuration wizard (step two of the Getting Started wizard), using a relative domain name (e.g., oslo, when the fully qualified domain name is in order to join the server to a domain appears to succeed. However, after restarting the server, logging in with domain credentials results in a trust relationship error message.

Preventing the issue

Be sure to use a fully qualified domain name when joining Forefront TMG to a domain by using the System Configuration wizard.

Correcting the issue

If you have already joined the domain with a relative domain name, do the following.

To join a Forefront TMG server to a domain

  1. Use the local administrator account to log in to the Forefront TMG server.

  2. Right-click the Computer icon, and then click Properties.

  3. In the System Properties window, on the Computer Name tab, click Change, and then enter the Domain Name System (DNS) suffix provided by the domain controller.

  4. Click Next, and then click Finish. The Forefront TMG computer will automatically restart.

Changing the computer and domain name

You cannot change both the computer name and the domain at the same time, either in the Getting Started Wizard or in the Computer Details properties, accessible through the Forefront TMG Management Systems node.

To change both the computer name and the domain name

  • Change one parameter (either computer name or domain name), and then restart the computer as instructed. Change the other parameter, and then restart the computer.

Client authentication

You can configure authentication for clients connecting to the Forefront TMG server only in the Web Access settings on the Web Access Policy tab of the Forefront TMG Management console. These settings are visible only after you've completed the Web Access Policy wizard in the Getting Started Wizard. You can also configure this setting programmatically by using the FPCWebListenerProperties object.

Remote administration

Use Remote Desktop Connection in order to remotely administer the Forefront TMG server. Using other forms of remote administration is not recommended.

Reporting and Web chaining

The reports "Top Web Sites" and "Top Malware Web Sites" may not display correctly in a Web chaining deployment.

Reporting support

Forefront TMG reporting services are supported only when logs are recorded to a local Microsoft SQL Server® Express 2005 database.

When you publish reports to a directory on the Forefront TMG server, you must add the SYSTEM account to the file sharing permissions of the directory. This will ensure that Forefront TMG will be able to publish the reports to the directory.

Reserving TCP port 8008

The TCP port 8008 on the Forefront TMG server is used for reporting purposes; assigning this port for any other purpose will interfere with Forefront TMG reporting services.

Third-party add-ins

If you are running an add-in developed by a third-party vendor for a previous version of ISA Server, contact the provider in order to check on the availability of an updated version for Forefront TMG.

Virtual private networking

After viewing the Site-to-Site Settings summary, the Apply and Discard changes buttons appear. Reviewing the Site-to-Site settings does not cause a change to the system; you can safely click Discard, unless you have actually made changes.

Windows Firewall

Manually stopping the Windows® Firewall service (MpsSvc) is not recommended. In order to modify the VPN configuration, the Windows Firewall must be running.

To verify that the Windows Firewall service is running, from the command line of the Forefront TMG computer, run the command sc query mpssvc. If the service is not running, run the command net start mpssvc in order to restart the Windows Firewall.

Information in this document, including URL and other Internet Web site references, is subject to change without notice and is provided for informational purposes only. The entire risk of the use or results from the use of this document remains with the user, and Microsoft Corporation makes no warranties, either express or implied. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

© 2008 Microsoft Corporation. All rights reserved.

Microsoft, Forefront, SQL Server, Windows, Windows Vista, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

All other trademarks are property of their respective owners.

Copyright © 2009 by Microsoft Corporation. All rights reserved.