This checklist is designed to help you plan your deployment of Forefront TMG. It lists the tasks you should do in order to install and deploy Forefront TMG successfully. The checklist also provides links to instructions and planning information for each task.

Tasks are grouped according to:

Preinstallation tasks

The following table lists the tasks you should complete before installing Forefront TMG:

Task Where to Find Information

Verify that the computer on which you want to install Forefront TMG complies with the system hardware and software requirements.

For a list of all the hardware and software requirements necessary for installing Forefront TMG, see System requirements for Forefront TMG.

Run Windows Update to ensure that your computer is up to date with the latest version. If updates are applied, reboot the computer before installing Forefront TMG.

For information on how to ensure that the latest updates are installed on your computer, see Preparing for installation.

Decide whether to run the Forefront TMG installation in interactive or unattended mode.

See Planning to install Forefront TMG.

Note: You can migrate to Forefront TMG from ISA Server, or upgrade from an earlier version of Forefront TMG. For information, see Planning for migration.

Select the required installation option, depending on your environment.

The following options are available:

For planning information, see Planning to install Forefront TMG.

Verify network adapter configuration

All network adapters must be properly installed and configured with the appropriate IP addresses before you install and configure Forefront TMG.

For information on planning the network adapter configuration for your network, see Planning Forefront TMG network topology.

Plan domain name resolution

Before you start the installation, you must plan how to configure domain name resolution in Forefront TMG.

See Planning for domain name resolution.

Post-installation tasks

The following table lists the tasks you should do after installing Forefront TMG, including the infrastructure options you should consider as you set up your network:

Task Where to Find Information

Configure basic deployment settings

Use the Getting Started wizard to help you configure initial deployment settings, e.g., network adapter settings, operating system settings, such as computer name information and domain or workgroup, and malware protection for Web traffic.

For instructions, see Configuring initial deployment settings.

Configure domain/workgroup membership

When installation is complete, you can configure Forefront TMG as a member of a domain or a workgroup.

For information on planning these deployment options in Forefront TMG, see Workgroup and domain considerations.

Configure array deployment

Array configuration provides high availability by joining TMG servers. After installing Forefront TMG on your server, you can join the server to a standalone array, or to an array that is centrally managed by an EMS.

For information on how to plan for a standalone or centrally managed array, see Planning for Forefront TMG server high availability and scalability.

For instructions on how to configure an array of Forefront TMG servers for deployment, see Configuring an array of Forefront TMG servers.

Setting up access to your corporate network

The following table lists the tasks you can do to secure access to your corporate network. For detailed information about setting up access to your corporate network, see Access design guide for Forefront TMG.

Task Where to Find Information

Set up authentication

The following options are available for setting up the authentication infrastructure:

  • Install CA server certificates—CA server certificates enable you to secure encrypted communication and authentication between the client computer and Forefront TMG.

  • Configure forms-based authentication—When Forefront TMG is used to publish Exchange Web client access, forms-based authentication should be configured on the Forefront TMG computer.

  • Configure Kerberos constrained delegation—If you are using Kerberos constrained delegation as the authentication delegation method, you must configure it for the Forefront TMG computer object in Active Directory Domain Services.

  • Configure authentication delegation—If you are configuring authentication delegation, you must match the selected authentication delegation method to a supported method of authentication on the published server.

For more information, see Overview of authentication in Forefront TMG.

Set up network access

Forefront TMG enables you to configure settings, such as Forefront TMG Client support, that provide secure access to the internal applications in your network.

See Planning to control network access.

Configure Web access

Forefront TMG enables you to configure settings that allow internal users to access the Web securely.

See Planning for Web access.

Configure Virtual Private Network (VPN) access

You can configure your system to enable clients on a remote network to connect securely to your corporate network using a Virtual Private Network (VPN). See Planning for virtual private networks.

Configure publishing

Forefront TMG publishing enables remote users to securely access your internal applications, via the Internet. Web publishing rules enable you to specify which Web servers and sites will be available to Internet users, based on defined access policies.

See Planning for publishing.

Install server certificates for published Web site

To enable secure communications between the Forefront TMG computer and the published Web site, you must install a CA server certificate for the published Web site.

See Planning for server certificates.

Protecting your corporate network

The following table lists the protection capabilities you can configure in Forefront TMG to help protect your corporate network. For more information on protection, see Protection design guide for Forefront TMG.

Task Where to Find Information

Configure protection against known vulnerabilities

You can configure Forefront TMG to protect your computers against network attacks and malicious attempts to exploit known vulnerabilities in the operating system and other related applications.

See Planning to protect against known vulnerabilities.

Configure protection against intrusion attempts and other common attacks

You can configure Forefront TMG to protect your network from attempts by malicious users to attack the network, such as HTTP denial of service attacks, SYN attacks, or worm propagation.

If detection of DNS attacks is enabled, you can also specify that the DNS Filter check for specific types of suspicious activity.

See Planning to protect against network attacks.

Configure protection against Web browsing threats

You can configure Forefront TMG to provide malware inspection for scanning, cleaning, and blocking harmful HTTP and HTTPS content and files.

See Planning to protect against Web browsing threats.

Configure protection against e-mail threats

If you intend to deploy e-mail protection for your organization, you must configure a secure e-mail policy to protect your corporate assets.

See Planning to protect against e-mail threats.

Copyright © 2009 by Microsoft Corporation. All rights reserved.