Forefront TMG should be configured through Forefront TMG Management or programmatically using the Forefront TMG administration COM objects. Some administration COM properties cannot be accessed through Forefront TMG Management, and their values can be retrieved and modified only programmatically.
In ISA Server 2000, several configuration settings that were introduced after the release of the product and were described in Knowledge Base (KB) articles can be accessed only directly through registry values. ISA Server 2004, ISA Server 2006, and Forefront TMG provide COM properties for accessing the configuration settings that were defined in ISA Server 2000 by the following registry values:
HKLM\SYSTEM\CurrentControlSet\Services\
FwSrv\Parameters\NegativeDnsCacheTTL
This ISA Server 2000 registry value is replaced in ISA Server 2004, ISA Server 2006, and Forefront TMG by the DnsCacheNegativeTtl property of the FPCLowLevelSettings object, which specifies the TTL, in seconds, of entries for unsuccessful lookups in the DNS cache.
HKLM\SYSTEM\CurrentControlSet\Services\
FwSrv\Parameters\UseISAAddressInPublishing
This ISA Server 2000 registry value (available only when ISA Server 2000 Service Pack 1 is installed) is replaced in ISA Server 2004, ISA Server 2006, and Forefront TMG by the UseFirewallIPAsSource property of the FPCServerPublishingProperties object, which indicates whether the IP address on which the Forefront TMG computer received a request on behalf of the server published by the rule will be used as the source IP address when the request is forwarded to the published server.
HKLM\SYSTEM\CurrentControlSet\Services\
W3proxy\Parameters\ConnectCacheSize
This ISA Server 2000 registry value is replaced in ISA Server 2004, ISA Server 2006, and Forefront TMG by the ConnectCacheSize property of the FPCWebProxy object, which specifies a value that is a factor for determining the maximum size of the connection cache.
The other factor that determines the maximum size of the connection cache is set internally and is based on the total physical memory and on the type and number of processors in the Forefront TMG computer. Cached connections are removed from the cache according to fixed expiration policies.
Setting this property to 0 disables connection caching. However, this degrades performance because of the need to open a new connection to the Web server for each client request and the resultant increase in the number of connections opened per second.
If clients access a Web site that uses a custom connection-based authentication method through a Forefront TMG computer and the authentication method relies on the connection between the Forefront TMG computer and the Web server, the personal data of one client may be exposed to another client. Because of connection caching, after the Web server authenticates a connection opened by the Web proxy for the first client, the Web proxy can reuse the connection for a second client, and the Web server will let the new client browse the personal data provided by the first client for authentication. This problem can be avoided by setting the ConnectCacheSize property to 0.
HKLM\SYSTEM\CurrentControlSet\Services\
W3proxy\Parameters\DontMarkSessionAsPrivateifProxyAuthSeen
This ISA Server 2000 registry value (introduced in ISA Server 2000 SP 2), which specifies whether the local downstream Forefront TMG computer caches content that requires authentication at an upstream proxy server but not at the downstream computer in a Web chaining scenario, is replaced in ISA Server 2004, ISA Server 2006, and Forefront TMG by a global setting that resides in a vendor parameters set of the FPCArray object.
When this setting is set to 0 (the default value), the downstream Forefront TMG computer disables caching of HTTP content that is retrieved through HTTP requests authenticated at the upstream proxy server.
When this setting is set to 1, the downstream Forefront TMG computer enables caching even if the upstream proxy server is configured to request client authentication. Users who are not allowed to view specific HTTP content by the upstream proxy server can retrieve the content from the downstream Forefront TMG computer. For a VBScript code example for setting the DontMarkSessionAsPrivateIfProxyAuthSeen parameter, see the VendorParametersSets property.
The caching of content supplied after user authentication by an upstream proxy server or by the Web server is also controlled in individual cache rules by the CacheAuthenticatedContent of the applicable FPCCacheRule object.
HKLM\SYSTEM\CurrentControlSet\Services\
W3proxy\Parameters\MaxRequestHeadersSize
This ISA Server 2000 registry value, which specifies the maximum length of HTTP request headers, is replaced in ISA Server 2004, ISA Server 2006, and Forefront TMG by a global setting that resides in the vendor parameters set (the VendorParametersSets property) of the HTTP Filter Web filter and applies to all Web publishing rules and access rules that allow HTTP traffic. Its default value is 32,768 bytes. For more information and a VBScript code example for setting the MaxRequestHeadersLen parameter, see HTTP Filter.
HKLM\SYSTEM\CurrentControlSet\Services\
W3proxy\Parameters\RemoveAllProxyAuthorization
This ISA Server 2000 registry value is replaced in ISA Server 2004, ISA Server 2006, and Forefront TMG by the RemoveAllProxyAuthorization property of the FPCWebProxy object, which indicates whether the Forefront TMG Web proxy will remove all Proxy-Authorization headers from requests passed to an upstream server.
If requests sent by Internet Explorer are forwarded to an upstream proxy server by a Web chaining rule, Integrated authentication is required on the downstream Forefront TMG computer, and no client authentication is required on the upstream proxy server, random authentication requests and other error messages may be displayed on the client computer. This problem can be resolved by configuring the downstream proxy server to remove all Proxy-Authorization headers from requests passed to the upstream server.
HKLM\SYSTEM\CurrentControlSet\Services\
W3proxy\Parameters\ReturnDeniedIfAuthenticated
This ISA Server 2000 registry value is replaced in ISA Server 2004, ISA Server 2006, and Forefront TMG by the ReturnAuthRequiredIfAuthUserDenied property of the FPCWebListenerProperties object, which indicates whether a Proxy Authentication Required message should be returned when a user is authenticated by the Forefront TMG Web proxy but is denied access by the rules. By default, an access denied message is returned, and the user is not given the option of authenticating with different credentials.
In the forward proxy scenario, when this property is set to True, a user that is authenticated by the Web proxy but fails to pass the rules (for example, because they deny access to this user) receives HTTP error 407 (Proxy Authentication Required) and can try again using different credentials. If this property is set to False (the default value), the user receives HTTP error 502 (Bad Gateway) with a resource denied error page and is not prompted again for credentials when the Web proxy denies access for a request. In the reverse proxy scenario, the corresponding HTTP errors are 401 (Unauthorized: Logon Failed) and 403 (Forbidden: Execute Access Forbidden).
HKLM\SYSTEM\CurrentControlSet\Services\
W3proxy\Parameters\SkipNameResolutionForAccessAndRoutingRules
This ISA Server 2000 registry value is replaced in ISA Server 2004, ISA Server 2006, and Forefront TMG by the SkipNameResolutionForAccessAndRoutingRules property of the FPCWebProxy object, which indicates whether the Forefront TMG Web proxy will skip name resolution while checking access and routing rules. When name resolution is disabled in a forward proxy scenario with chaining, requests requiring DNS lookup on the downstream Forefront TMG computer are sent directly without delay to the chained upstream computer.
HKLM\SYSTEM\CurrentControlSet\Services\
W3proxy\Parameters\SkipNameResolutionForPublishingRules
This ISA Server 2000 registry value is replaced in ISA Server 2004, ISA Server 2006, and Forefront TMG by the SkipNameResolutionForWebPublishingRules property of the FPCWebProxy object, which indicates whether the Forefront TMG Web proxy will skip name resolution while checking Web publishing rules.
HKLM\SYSTEM\CurrentControlSet\Services\
W3proxy\Parameters\WebProxyFtpClientPassword
This ISA Server 2000 registry value is replaced in ISA Server 2004, ISA Server 2006, and Forefront TMG by the WebProxyFtpClientPassword property of the FPCWebProxy object, which specifies the password that will be used when mediating anonymous FTP requests.
Note that these properties cannot be accessed through Forefront TMG Management.
Send comments about this topic to Microsoft
Build date: 11/30/2009
© 2008 Microsoft Corporation. All rights reserved.