Home > Forefront TMG 2010, Troubleshooting > Preparing Forefront TMG 2010 for Enterprise Workgroup Deployment

Preparing Forefront TMG 2010 for Enterprise Workgroup Deployment

March 15, 2011

Deploying Forefront Threat Management Gateway (TMG) 2010 in a workgroup (non-domain joined) enterprise array configuration can present a significant challenge to many administrators. This post isn’t meant to be a comprehensive TMG Enterprise Management Server (EMS) deployment guide, but I would like to share with you a few important tips that will hopefully make the process of creating an EMS-managed array a little easier.

Before Installing EMS

IP Addressing – Make certain that all basic IP connectivity is verified before installing any Forefront TMG 2010 services.

Name Resolution – Confirm that name resolution is working properly and that hostnames are being resolved to the correct IP addresses. Be sure that these IP addresses are assigned to the Internal network interface of the EMS and each array member.

Certificates – The EMS will require a machine certificate, and each array member should trust the Certificate Authority (CA) that issued this certificate. It is recommended that this certificate be issued by your internal private CA and not a public third-party CA. The certificate should be for server authentication and the common name on the certificate should be the FQDN of the host it is to be installed on. Be sure to install the root certificate and any intermediate certificates for the CA on the EMS and each array member. Make certain the certificate is issued with the option for the private key to be exportable.

Local Accounts – Identical (mirrored) local accounts should be configured on the EMS and each array member and be granted administrative rights for the Forefront TMG 2010 Enterprise.

After Installing EMS

Before joining a TMG firewall to an array, you can perform some preliminary tests to determine if certificate authentication between hosts is working correctly. To do this, open a PowerShell command window and enter the following commands:

import-module servermanager
add-windowsfeature rsat-adlds

Once complete, click Start | Run and enter ldp.exe. From the drop-down menu choose Connection, and then Connect…. For the server, enter the fully-qualified domain name (FQDN) of the EMS, specify port 2172, and then select the option to use SSL.

If certificate authentication is working correctly you will connect to the RootDSE. If it is not configured correctly you will receive a connection error.

To determine if user authentication is working correctly, select Connection from the drop-down menu and then Bind…. If you are currently logged on with the local mirrored account, select the option to Bind as currently logged on user, otherwise select Bind with credentials and enter the user and password of the mirrored account (leave the domain blank).

If configured correctly you will receive notification that you have been authenticated. If not, you will be notified that the logon attempt failed.

Once you’ve completed these steps you can proceed with configuring the TMG firewall to join the array. Be sure to specify the name of the EMS in exactly the same format as the certificate common name (preferably using the FQDN ).

  1. ibrahim
    January 13, 2012 at 8:35 pm

    i have problem to with deply tmg array with ems in workgroup, my question is ?
    1. where do i create TrustedRootCA ? in EMS ?
    2. what certificates i need to create ? and where do i create ?
    3. what certificates i need to install on each node ?


  2. January 16, 2012 at 10:46 am

    Hi Ibrahim,

    Jason Jones’ has excellent, detailed and prescriptive documentation for deploying Forefront TMG 2010 enterprise edition in a workgroup environment available here:



  3. myself
    February 13, 2012 at 9:58 am

    it doesn’t talk about EMS , only stand alone array.
    I need to know how to do it with EMS in WRKGRP

  4. February 13, 2012 at 4:57 pm

    This article talks exclusively about deploying Forefront TMG 2010 with EMS in workgroup mode. I’ve also included links to reference articles on how to configure TMG with EMS in a workgroup.

  5. March 14, 2012 at 1:15 am

    Can you tell me after configure EMS then install Forefront TMG ? i want to install Forefront TMG without domain, this is solution, if you have any idea ?

    System Engineer

  6. March 17, 2012 at 10:37 am

    Yes, if you want to install Forefront TMG 2010 in a workgroup environment (non domain-joined) then using machine certificates is required for server authentication. This post doesn’t provide guidance for that, just troubleshooting in this scenario. For details on the initial setup and configuration for Forefront TMG 2010 workgroup deployments, please see the following article on Microsoft TechNet:



  7. MAK
    November 4, 2013 at 2:16 am

    Hi Richard,

    I am planning to migrate from ISA 2006 to TMG. i have 06 ISA servers located at DMZ Environment in WorkGroup mode as NLB Array. As i said i wanna move to TMG, please tell me can i go with isa 2006 WG to TMG WG? because i read thats not possible. in order to move from isa WG to TMG, the TMG must be in domain environment. Please share your experience with some details. Thanks.

  8. November 6, 2013 at 10:16 am

    That’s not true at all. You can migrate from ISA EE in workgroup mode to TMG EE in workgroup mode. It is not required that Forefront TMG 2010 be a member of the domain to support enterprise deployment or migration scenarios.

  1. No trackbacks yet.
Comments are closed.