Mark’s rules for TMG Firewall client (MRFTFC)

Mark Stanfill has started a great series, via his Twitter account, covering EBS rules for TMG. So good that I thought it a great idea to include them here. I’ll add to this post as he adds additional rules. Following are the first sets, plus a bonus precursor:

#EBS08 New series: Mark’s rules for TMG Firewall client (MRFTFC)

#EBS08 Never use ‘route add’ on TMG. Use the TMG getting started wizard instead. Look for startup scripts that do route adds,exclude admin

#EBS08 MRFTFC #1 – You probably don’t need th FWC. 99% of apps can get by with SNAT and web proxy

#EBS08 MRFTFC #2 – Install from Management Server (not Security): C:\Program Files\Windows Essential Business Server\bin\ISA\client

#EBS08 MRFTFC #3 You only need the FWC if you have an APP that needs it or if you want to track access by user rather than by IP.

#EBS08 MRFTFC #4 Down-level FWC from ISA 2004/6 still works, but you should update it if you use it.

New #EBS08 TMG rule 1 – never, ever use “route add” – you will corrupt the IP stack

New #EBS08 TMG rule 2 – add routes via the getting started wizard only – TMG Console -> Forefront TMG -> Tasks

New #EBS08 TMG rule 3 – Only use TMG Console to configure VPN, never RRAS Mgmt console

New #EBS08 TMG rule 4 – Never, ever,ever, ever disable IPv6 on Security Server – you will never fix anything, but you will break RRAS

New #EBS08 TMG rule 5 – Networks under TMG Console\Networking\Networks must have an interface on TMG server itself or we’ll drop traffic

New #EBS08 TMG rule 6 – deploy firewall client via gpo from MGMT server: c:\progra~1\window~3\bin\isa\client — Exclude Servers from GPO

-Additional markstan comment: It depends on the app and the environment. Use FWC if you need user auditing, don’t want to use default gateway, or know that you will have a lot of custom protocols. Undefined protocols = block for SNAT, access for FWC.

New #EBS08 TMG rule 7 – for WMI to work you must disable Enforce Strict RPC Compliance on all applicable access policies and system policies

#EBS08 TMG-if you are publishing TS 2 another server, TS 2 TMG will fail. Set the winstations regkey to 3390 on TMG,reboot cr8 access policy. Set the winstations regkey to 3390 on TMG,reboot create access policy for internal to localhost


#EBS08 TMG – Want to query RBLs 4 SMTP? Create an access rule for DNS (not dns server) from localhost to external. Not there by default.

#EBS08 TMG rule – TMG requires IPv6. Never disable via registry or uncheck from ncpa.cpl. This will lead to routing issues and application crashes. I’ve seen random blue screens, but never been able to repro.

#EBS08 TMG tip – you can copy rules via ctrl-c/ctrl-v, modify settings (like port #) to save time.

#EBS08 TMG tip – getting started wizard (for adding static routes) must be ran on Security Server itself (can’t do from mgmt)

#EBS08 TMG TIP – slow web page load/dns name resolution – use the script from

#EBS08 TMG TIP 3 updates that need additional work on Security Server – and

#EBS08 TMG Tip – TMG comes with a 1yr AV subscription. TMG Console\Update Center\Highlight ‘Malware Inspection’\Configure License details

#EBS08 TMG TIP – renew licensing for TMG – To renew, contact your Microsoft Partner or Small Business Specialist.

#EBS08 TMG -Networking\Networks\Internal\Web Browser-’Directly access computers specified in the addresses tab’ needs to be checked

#EBS08 TMG TIP – quick TMG backup – EBSAdmin console\Security tab\highlight Network firewall\Save network firewall settings

#EBS08 TMG TIP – Native TMG backup- right-click forefront TMG (servername) in TMG Console -> Export (Back Up)… – choose the defaults.

#EBS08 TMG : Reset TMG to day1 (all ebs services published) in Admin Console\Security\Network firewall\restore default network firewall set

#EBS08 TMG – TMG has a 1 GB limit on http downloads by default

#EBS08 TMG – tmg download limts = TMG Console\Web Access Policy\Configure Malware Inspection\Inspection Settings

#EBS08 TMG – Email a daily network usage report – TMG Console\Monitoring\Reporting\Create Recurring Report Job

#EBS08 – To run IT Health Scanner w/ TMG – create allow all access rule as rule #1, disable strict rpc checking there & on system policy\AD

  – blog post: – How to run the IT Environment Health Scanner in an EBS Environment

#EBS08 – Update to blog post – – Preparation Wizard/IT Environment Health Scanner fail with DNS WMI Provider error

Not labeled TMG by Mark, but worth having in this list:

#EBS08 browser access from security server itself – you must manually configure proxy, port 8080, set exclusion for local domain

#EBS08 – security server unable to get updates? Check the proxy exclusions list first.

#EBS08 MRFTFC – Address ranges, subnets, and computer set objects should not contain the TMG server’s IPs (rare exceptions).

#EBS08 MRFTFC – OWA HTTP 500/error 12217 = disable normalization on the OWA publishing rule

#EBS08 MRFTFC OWA “Could not connect to a directory server” error = disable link translation on OWA publishing rule.

#EBS08 MRFTFC Slow or failed FTP behind TMG? Create the reg key in and restart server. (many other potential causes)

#EBS08 MRFTFC Postback errors uploading to or configuring SharePoint? Add /WebResource.axd* to the SharePoint publishing rule’s path.

#EBS08 MRFTFC to repair or uninstall/reinstall SCE Agent on Sec Server, “net stop fweng /y”, install or repair, then “net start fwsrv”

2 thoughts on “Mark’s rules for TMG Firewall client (MRFTFC)”

  1. Mark has been adding additional tweets on this, so as long as he comes up with them, I’ll continue to add them to the list. Make sure you check back here occasionally and scan for an update.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>