In my lab I have a TMG 2010 to publish stuff on the inside to the Internet. I wanted to harden the OS to make it more secure and this is how I did it using the Security Configuration Wizard with Microsoft Forefront Threat Management Gateway 2010.

IMPORTANT: Make sure to test this in a lab before doing it in production, otherwise you will probably break stuff! That’s why I have my lab which this site is dedicated to.

I use the TMG to publish ActiveSync/OWA/Outlook Anywhere and a simple static HTTP website that I publish on the outside using HTTPS. All users are authenticated using LDAPS.

The configuration of the TMG is the following so maybe if your configuration is different, the guide might not work for you, but please feel free to comment.

  • TMG-server is configured with a single network adapter on an internal private IP-network.
  • TMG-server is running Windows 2008 R2 Enterprise and TMG 2010 Enterprise, but I use the product as stand-alone on a single server without any bells and whistles like array, load-balancing etc. I just the Enterprise editions to make sure the lab can cover all scenarios.
  • TMG-server is configured in a local workgroup and use LDAP (over a secure connection) to authenticate the users.
  • The main firewall is a Cisco PIX where I NAT the external IP-addresses to the TMG internal IP-addresses.
  • I use RDP to remotely administrate the TMG-server completely. I don’t transfer stuff over SMB or anything like that (mainly because I wanted to disable “File and Printer Sharing for Microsoft Network”).

Problems:

At first reboot I got some problems which failed TMG to start completely and I found these errors, all of them Event ID 7001:

  • The Microsoft Forefront TMG Firewall service depends on the Microsoft Forefront TMG Control service which failed to start because of the following error: The dependency service or group failed to start.
  • The Microsoft Forefront TMG Job Scheduler service depends on the Microsoft Forefront TMG Control service which failed to start because of the following error:
    The dependency service or group failed to start.
  • The Microsoft Forefront TMG Managed Control service depends on the Microsoft Forefront TMG Control service which failed to start because of the following error: The dependency service or group failed to start.
  • The Microsoft Forefront TMG Control service depends on the Secure Socket Tunneling Protocol Service service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

Basically, the problem was that some services needed for TMG was disabled. After each reboot I found another service that needed to be changed from Disabled -> Manual. In the end, I had to change the following services:

  • Secure Socket Tunneling Protocol Service
  • Remote Access Connection Manager
  • Telephony

However, still after this, the server took 15+ minutes to reboot.  [UPDATE: It looks like Software Update 1 for SP1 has fixed this issue. I don’t seem to be the only one with this problem, and my solution was to simply put all Forefront services in Automatic (Delayed Start). Hopefully Microsoft will release a fix for this in the future.].