Server View

Forefront TMG works at various communication layers to protect the corporate network. At the packet layer, Forefront TMG implements packet filtering. Data then passes to the Microsoft Firewall service and, when necessary, to the Web proxy, where Forefront TMG rules are processed to determine if the request should be serviced.

The following figure shows in detail the architecture of the Forefront TMG array.

By default, a Forefront TMG array includes only one Forefront TMG computer, and associating additional Forefront TMG computers with an array is not supported in Forefront TMG Medium Business Edition. The following explanation focuses on the architecture of a single Forefront TMG computer. The server includes these components:

• The firewall, consisting of the Microsoft Firewall service, the Forefront TMG Web proxy, and application filters:
  • IP packet filter.
  • SecureNAT driver. A function of Forefront TMG that performs network address translation (NAT) in place of the Windows NAT mechanism. For more information, see Secure Network Address Translation.
  • Web proxy. Includes Web filters and the cache.
  • Firewall service. Handles connect requests sent by Firewall clients and SecureNAT clients. HTTP requests are diverted to the Web proxy.
  • Application filters. Third-party filters can be developed to extend the Firewall service by using the application filter interfaces.

As shown in the diagram, Forefront TMG protects three types of clients:

• Firewall clients are computers that have the Firewall Client software installed and enabled. Firewall clients intercept requests that are sent from Windows Sockets (Winsock) applications running on them to other computers and decide whether to route the them to the Forefront TMG computer or to send them directly to destinations that are considered local. Requests from Firewall clients that are accepted by a Forefront TMG computer are directed to the Firewall service to determine whether access is allowed. Subsequently, the requests can be filtered by application filters and other add-ins. If a Firewall client requests an HTTP object, the Firewall service redirects the request to the Web proxy. The Web proxy may also cache the requested object, or serve the object from the Forefront TMG cache. For more information about Firewall clients, see Firewall Clients.
• SecureNAT clients are computers that send requests to the Forefront TMG computer, but do not have the Firewall Client software installed. Requests from SecureNAT clients are directed first to the NAT driver, which substitutes a global IP address that is valid on the Internet for the internal IP address of the SecureNAT client. The client request is then directed to the Firewall service, to determine whether access is allowed. Finally, the request can be filtered by application filters and other add-ins. If the SecureNAT client requests an HTTP object, the Firewall service redirects the request to the Web proxy. The Web proxy may also cache the requested object, or serve the object from the Forefront TMG cache. For more information about SecureNAT clients, see SecureNAT Clients.
• Web proxy clients are any browser applications compatible with the standards of Conseil Europeen pour la Recherche Nucleaire (CERN). Forefront TMG redirects Web requests from clients to the Web proxy on the Forefront TMG computer to determine whether access is allowed. The Web proxy can also cache the requested object or serve the object from the Forefront TMG cache.

Note  Firewall client computers and SecureNAT client computers can also be Web proxy clients. If the Web application on the computer is configured explicitly to use the Forefront TMG, then all Web requests (HTTP, HTTP-S, and FTP download requests) are sent directly to the Web proxy. Also, requests generated by applications that do not use Winsock APIs on Firewall clients are processed as requests from a SecureNAT client if their default gateway is configured so that traffic is sent by way of the Forefront TMG computer either directly or indirectly, through a router.

Send comments about this topic to Microsoft

Build date: 11/30/2009