Forefront Threat Management Gateway (TMG) 2010 and Windows Firewall Integration
With previous versions of Microsoft ISA Server running on Windows Server 2003, the Windows Firewall and Internet Connection Sharing (ICS) services were disabled by default.
After installing Microsoft Forefront Threat Management Gateway (TMG) 2010, you may have noticed that the Windows Firewall service is still enabled.
The reason for this is that the TMG Firewall integrates with the local Windows firewall instead of replacing it. This is made possible by the Windows Filtering Platform (WFP) which makes incorporating firewall services in to the operating system’s networking stack much easier. If you take a closer look you will see that TMG is simply a Windows Filtering Platform registrant.
Having the Windows Firewall service running on a TMG firewall is by design. Since TMG depends on the Windows Firewall service for operation, and the Windows Firewall service can be configured via Active Directory Group Policy, there is the potential for conflict that may result in the TMG firewall not working correctly. To avoid this scenario, create a separate OU dedicated to the TMG firewall systems and filter out any GPOs that make changes to the Windows Firewall configuration.