To configure application settings for Forefront TMG Client

Configuring application settings for

Forefront TMG Clients
Published: November 15, 2009
Updated: February 1, 2011
Applies To: Forefront Threat Management Gateway (TMG)
You can define application settings in Forefront TMG which apply to all computers on which the
Forefront TMG Client is installed in networks that are protected by Forefront TMG. Application
settings consist of {key, value} pairs that specify how the Forefront TMG Client software behaves
with the specific application.
The following procedure describes how to configure new application settings, edit existing
application settings, and delete application settings.
1. In the Forefront TMG Management console, in the tree, click Networking, and then click
the Networks tab.
2. In the task pane, on the Tasks tab, under Related Tasks, select Configure Firewall
Client Settings.
3. To configure a new application setting, do the following:
a. On the Application Settings tab, click New.
b. On the Application Entry Setting dialog box, enter the application name, key, and
value, and then click OK.
4. To modify an existing application setting, in the Settings list, click the application, and
then click Edit. Apply the change and click OK.
5. To delete an existing application setting, in the Settings list, click the application, and then
click Remove.
You can modify application settings in Forefront TMG Management, to apply to all computers on
which the Forefront TMG Client is installed.The following table lists the entries that you can include
when configuring the Forefront TMG Client application settings. The first column lists the keys that
can be included in the configuration files. The second column describes the values to which the keys
can be set. Note that some settings can be configured only on the computer which has the
Forefront TMG Client installed.
Application Settings
Keys Value
ServerName
Specifies the name of the Forefront TMG server computer to which
Forefront TMG Client should connect.
Page 1 of 4 Configuring application settings for Forefront TMG Clients
25/12/2012 http://technet.microsoft.com/en-us/library/ee658144(d=printer).aspx
Disable Possible values: 0 or 1. When the value is set to 1, the Forefront
TMG Client application is disabled for the specific client application,
except when the Forefront TMG Client configuration explicitly
exempts the process initiating traffic.
DisableEx
Possible values: 0 or 1. When the value is set to 1, Forefront TMG
Client application is disabled for the specific client application.
When set, overrides the Disable setting. For example, for svchost,
DisableEx is enabled by default.
Autodetection
Possible values: 0 or 1. When the value is set to 1, Forefront TMG
Client application automatically finds the Forefront TMG computer
to which it should connect.
NameResolution
Possible values: L or R. By default, dotted domain names are
redirected to the Forefront TMG computer for name resolution and
all other names are resolved on the local computer. When the value
is set to R, all names are redirected to the Forefront TMG computer
for resolution. When the value is set to L, all names are resolved on
the local computer.
LocalBindTcpPorts Specifies a TCP port, list, or range that is bound locally.
LocalBindUdpPorts Specifies a UDP port, list, or range that is bound locally.
DontRemoteOutboundTcpPorts
Specifies an outbound TCP port, list, or range that will not be
connected through Forefront TMG (connect requests that will not be
sent to Forefront TMG). Use this entry to specify the ports on which
clients should not communicate with Forefront TMG. This is useful
when protecting the Forefront TMG firewall from attacks on the
Internal network, which are spread by accessing a fixed port at
random locations.
DontRemoteOutboundUdpPorts Specifies an outbound UDP port, list, or range that is bound locally.
RemoteBindTcpPorts Specifies a TCP port, list, or range that is bound remotely.
RemoteBindUdpPorts Specifies a UDP port, list, or range that is bound remotely.
ProxyBindIP
Specifies an IP address or list that is used when binding with a
corresponding port. Use this entry when multiple servers that use
the same port need to bind to the same port on different IP
addresses on the Forefront TMG computer. The syntax of the entry
is:ProxyBindIp=[port]:[IP address], [port]:[IP address] The port
numbers apply to both TCP and UDP ports.
ServerBindTcpPorts
Page 2 of 4 Configuring application settings for Forefront TMG Clients
25/12/2012 http://technet.microsoft.com/en-us/library/ee658144(d=printer).aspx
Related Topics
Specifies a TCP port, list, or range for all ports that should accept
more than one connection.
Persistent
Possible values: 0 or 1. When the value is set to 1, a specific server
state can be maintained on Forefront TMG if a service is stopped
and restarted and if the server is not responding. The client sends a
keep-alive message to the server periodically during an active
session. If the server is not responding, the client tries to restore
the state of the bound and listening sockets upon server restart.
ForceCredentials
Used when running a Windows service or server application such as
Forefront TMG Client. When the value is set to 1, it forces the use
of alternate user authentication credentials that are stored locally
on the computer that is running the service. The user credentials
are stored on the client computer using the FwcCreds.exe
application that is provided with Forefront TMG. User credentials
must reference a user account that can be authenticated by
Forefront TMG, either local to Forefront TMG or in a domain trusted
by Forefront TMG. The user account is normally set not to expire.
Otherwise, user credentials need to be renewed each time the
account expires.
NameResolutionForLocalHost
Possible values: L (default), P, or E. Used to specify how the local
(client) computer name is resolved, when the gethostbyname API is
called.The LocalHost computer name is resolved by calling the
Winsock API function gethostbyname() using the LocalHost string,
an empty string, or a NULL string pointer. Winsock applications call
gethostbyname(LocalHost) to find their local IP address and send it
to an Internet server. When this option is set to L, gethostbyname
() returns the IP addresses of the local host computer. When this
option is set to P, gethostbyname() returns the IP addresses of the
Forefront TMG computer. When this option is set to E,
gethostbyname() returns only the external IP addresses of the
Forefront TMGthose IP addresses that are not in the local address
table.
ControlChannel
Possible values: Wsp.udp or Wsp.tcp (default). Specifies the type of
control channel used.
EnableRouteMode
Possible values: 0 or 1 (default). When EnableRouteMode is set to 1
and a route relationship is configured between the Forefront TMG
Client computer and the requested destination, the IP address of
the Forefront TMG Client is used as the source address. When the
value is set to 0, the IP address of the Forefront TMG computer is
used.This flag does not apply to older versions of Firewall client.
Page 3 of 4 Configuring application settings for Forefront TMG Clients
25/12/2012 http://technet.microsoft.com/en-us/library/ee658144(d=printer).aspx
2012 Microsoft. All rights reserved.
Concepts
Deploying Forefront TMG Client
1
Configuring client computers
2
Links Table
1
http://technet.microsoft.com/en-us/library/cc441585.aspx
2
http://technet.microsoft.com/en-us/library/cc441532.aspx
Community Content
Page 4 of 4 Configuring application settings for Forefront TMG Clients
25/12/2012 http://technet.microsoft.com/en-us/library/ee658144(d=printer).aspx