Server View

Forefront TMG works at various communication layers to protect the corporate network. At the packet layer, Forefront TMG implements packet filtering. Data then passes to the Microsoft Firewall service and, when necessary, to the Web proxy, where Forefront TMG rules are processed to determine if the request should be serviced.

The following figure shows in detail the architecture of the Forefront TMG array.

By default, a Forefront TMG array includes only one Forefront TMG computer, and associating additional Forefront TMG computers with an array is not supported in Forefront TMG Medium Business Edition. The following explanation focuses on the architecture of a single Forefront TMG computer. The server includes these components:

As shown in the diagram, Forefront TMG protects three types of clients:

Note  Firewall client computers and SecureNAT client computers can also be Web proxy clients. If the Web application on the computer is configured explicitly to use the Forefront TMG, then all Web requests (HTTP, HTTP-S, and FTP download requests) are sent directly to the Web proxy. Also, requests generated by applications that do not use Winsock APIs on Firewall clients are processed as requests from a SecureNAT client if their default gateway is configured so that traffic is sent by way of the Forefront TMG computer either directly or indirectly, through a router.

Send comments about this topic to Microsoft

Build date: 11/30/2009

© 2008 Microsoft Corporation. All rights reserved.