You should consider the following when selecting a domain or workgroup deployment:

• Enterprise deployments and array deployments in a workgroup environment require additional preparation steps that aren’t required in a domain environment, and require maintaining mirrored accounts on Forefront TMG computers for management purposes.
  
  
• EMS replication is not supported in a workgroup environment.
  
  
• Automatic Web proxy detection is not supported in a workgroup environment. For information, see Planning automatic Web proxy detection.
  
  
• In a workgroup environment, a server certificate must be installed on the Forefront TMG computer. For more information, see Planning for server certificates.
  
  
• You can configure VPN client user mapping to map users of operating systems other than Microsoft Windows to domain user accounts. User mapping is only supported when Forefront TMG is installed in a domain.
  
  
• In a domain, you can lock down the Forefront TMG server using Group Policy, rather than by configuring just a local policy.
  
  
• In a domain environment, if Active Directory Domain Services (AD DS) is compromised for example by an internal attack, the firewall could also be compromised because a user with Domain Administrator rights can administer every domain member, including the server running Forefront TMG. Similarly, if the firewall is compromised, the domain in which Forefront TMG is located is also at risk. By default, the Domain Admins group is in the Administrators group on the Forefront TMG server.
  
  
• If you are planning to enable HTTPS inspection, automatic deployment of the HTTPS inspection trusted root certification authority (CA) certificate to client computers is not supported in a workgroup environment.
  
  

Forefront TMG is commonly used in the following network topology configurations:

• Edge configuration
  
  
  • Forefront TMG protecting the edge, with one adapter connected to the Internal network and the other connected to the External network.
    
    
  • A back-to-back configuration, with Forefront TMG as the front firewall protecting the edge, with an adapter connected to the External network and an adapter connected to a perimeter network. A back-end firewall (which may be Forefront TMG or a third-party product) is configured between the perimeter network and the Internal network.
    
    
  • A three-legged configuration, with Forefront TMG configured with three network adapters connected to the Internal network, the External network, and a perimeter network.
    
    
  At the edge, you can install Forefront TMG as a domain member or in workgroup mode. As a domain member, it is recommended that you install Forefront TMG in a separate forest (rather than in the internal forest of your corporate network), with a one-way trust to the corporate forest. This may prevent the internal forest from being compromised, even if an attack is mounted on the forest of the Forefront TMG computer. However, there are some limitations with this deployment; for example, you can configure client certificate authentication only for users defined in the Forefront TMG domain, and not for users in the corporate internal domain or forest.
  
  
• Internal configuration
  
  
  • Forefront TMG at the back end in a back-to-back scenario. A typical scenario, with a Forefront TMG server installed at the edge and a second Forefront TMG server installed at the back end, is to install the front-end Forefront TMG server in workgroup mode and the back-end server as a domain member. Installing the back-end server as a domain member enables you to authenticate requests against AD DS. In addition, you can harden the internal Forefront TMG computer using Group Policy for ease of management.
    
    
  • Forefront TMG configured with a single network adapter. In this scenario, Forefront TMG functions as a Web proxy or caching server. The main advantage of installing the Forefront TMG computer as a domain member in this scenario, is the ease of use for authenticating users against AD DS.
    
    

You should consider the following authentication issues when selecting a domain or workgroup deployment:

• When access rules require internal clients to authenticate for outbound access, Forefront TMG can authenticate domain user accounts against AD DS. Web proxy requests in a workgroup environment can be authenticated against a RADIUS server.
  
  
• Firewall client requests automatically include user credentials. To authenticate these requests, Forefront TMG should belong to a domain. In a workgroup environment, you can authenticate requests with user accounts that are mirrored to accounts stored in the local Security Accounts Manager (SAM) on the Forefront TMG server, although this requires some administrative overhead for secure management.
  
  
• To authenticate inbound requests to internal Web servers using domain account credentials or certificate authentication, Forefront TMG must belong to a domain. In a workgroup environment, a RADIUS or SecurID server can be used for authentication.
  
  
• To authenticate virtual private network (VPN) requests using domain account credentials or certificates, Forefront TMG must belong to a domain. In a workgroup environment, a RADIUS server can be used for authentication.
  
  

Concepts