To configure application settings for Forefront TMG Client

Configuring application settings for Forefront TMG Clients

Published: November 15, 2009

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

You can define application settings in Forefront TMG which apply to all computers on which the

Forefront TMG Client is installed in networks that are protected by Forefront TMG. Application

settings consist of {key, value} pairs that specify how the Forefront TMG Client software behaves

with the specific application.

The following procedure describes how to configure new application settings, edit existing

application settings, and delete application settings.

1. In the Forefront TMG Management console, in the tree, click Networking, and then click

the Networks tab.

2. In the task pane, on the Tasks tab, under Related Tasks, select Configure Firewall

Client Settings.

3. To configure a new application setting, do the following:

a. On the Application Settings tab, click New.

b. On the Application Entry Setting dialog box, enter the application name, key, and

value, and then click OK.

4. To modify an existing application setting, in the Settings list, click the application, and

then click Edit. Apply the change and click OK.

5. To delete an existing application setting, in the Settings list, click the application, and then

click Remove.

You can modify application settings in Forefront TMG Management, to apply to all computers on

which the Forefront TMG Client is installed.The following table lists the entries that you can include

when configuring the Forefront TMG Client application settings. The first column lists the keys that

can be included in the configuration files. The second column describes the values to which the keys

can be set. Note that some settings can be configured only on the computer which has the

Forefront TMG Client installed.

Application Settings

Keys Value

ServerNameSpecifies the name of the Forefront TMG server computer to which

Forefront TMG Client should connect.

Page 1 of 4Configuring application settings for Forefront TMG Clients

25/12/2012http://technet.microsoft.com/en-us/library/ee658144(d=printer).aspx

Disable Possible values: 0 or 1. When the value is set to 1, the Forefront

TMG Client application is disabled for the specific client application,

except when the Forefront TMG Client configuration explicitly

exempts the process initiating traffic.

DisableEx

Possible values: 0 or 1. When the value is set to 1, Forefront TMG

Client application is disabled for the specific client application.

When set, overrides the Disable setting. For example, for svchost,

DisableEx is enabled by default.

Autodetection

Possible values: 0 or 1. When the value is set to 1, Forefront TMG

Client application automatically finds the Forefront TMG computer

to which it should connect.

NameResolution

Possible values: L or R. By default, dotted domain names are

redirected to the Forefront TMG computer for name resolution and

all other names are resolved on the local computer. When the value

is set to R, all names are redirected to the Forefront TMG computer

for resolution. When the value is set to L, all names are resolved on

the local computer.

LocalBindTcpPorts Specifies a TCP port, list, or range that is bound locally.

LocalBindUdpPorts Specifies a UDP port, list, or range that is bound locally.

DontRemoteOutboundTcpPorts

Specifies an outbound TCP port, list, or range that will not be

connected through Forefront TMG (connect requests that will not be

sent to Forefront TMG). Use this entry to specify the ports on which

clients should not communicate with Forefront TMG. This is useful

when protecting the Forefront TMG firewall from attacks on the

Internal network, which are spread by accessing a fixed port at

random locations.

DontRemoteOutboundUdpPorts Specifies an outbound UDP port, list, or range that is bound locally.

RemoteBindTcpPorts Specifies a TCP port, list, or range that is bound remotely.

RemoteBindUdpPorts Specifies a UDP port, list, or range that is bound remotely.

ProxyBindIP

Specifies an IP address or list that is used when binding with a

corresponding port. Use this entry when multiple servers that use

the same port need to bind to the same port on different IP

addresses on the Forefront TMG computer. The syntax of the entry

is:ProxyBindIp=[port]:[IP address], [port]:[IP address] The port

numbers apply to both TCP and UDP ports.

ServerBindTcpPorts

Page 2 of 4Configuring application settings for Forefront TMG Clients

25/12/2012http://technet.microsoft.com/en-us/library/ee658144(d=printer).aspx

Related Topics

Specifies a TCP port, list, or range for all ports that should accept

more than one connection.

Persistent

Possible values: 0 or 1. When the value is set to 1, a specific server

state can be maintained on Forefront TMG if a service is stopped

and restarted and if the server is not responding. The client sends a

keep-alive message to the server periodically during an active

session. If the server is not responding, the client tries to restore

the state of the bound and listening sockets upon server restart.

ForceCredentials

Used when running a Windows service or server application such as

Forefront TMG Client. When the value is set to 1, it forces the use

of alternate user authentication credentials that are stored locally

on the computer that is running the service. The user credentials

are stored on the client computer using the FwcCreds.exe

application that is provided with Forefront TMG. User credentials

must reference a user account that can be authenticated by

Forefront TMG, either local to Forefront TMG or in a domain trusted

by Forefront TMG. The user account is normally set not to expire.

Otherwise, user credentials need to be renewed each time the

account expires.

NameResolutionForLocalHost

Possible values: L (default), P, or E. Used to specify how the local

(client) computer name is resolved, when the gethostbyname API is

called.The LocalHost computer name is resolved by calling the

Winsock API function gethostbyname() using the LocalHost string,

an empty string, or a NULL string pointer. Winsock applications call

gethostbyname(LocalHost) to find their local IP address and send it

to an Internet server. When this option is set to L, gethostbyname

() returns the IP addresses of the local host computer. When this

option is set to P, gethostbyname() returns the IP addresses of the

Forefront TMG computer. When this option is set to E,

gethostbyname() returns only the external IP addresses of the

Forefront TMG—those IP addresses that are not in the local address

table.

ControlChannelPossible values: Wsp.udp or Wsp.tcp (default). Specifies the type of

control channel used.

EnableRouteMode

Possible values: 0 or 1 (default). When EnableRouteMode is set to 1

and a route relationship is configured between the Forefront TMG

Client computer and the requested destination, the IP address of

the Forefront TMG Client is used as the source address. When the

value is set to 0, the IP address of the Forefront TMG computer is

used.This flag does not apply to older versions of Firewall client.

Page 3 of 4Configuring application settings for Forefront TMG Clients

25/12/2012http://technet.microsoft.com/en-us/library/ee658144(d=printer).aspx

© 2012 Microsoft. All rights reserved.

Concepts

Deploying Forefront TMG Client1

Configuring client computers2

Links Table

1http://technet.microsoft.com/en-us/library/cc441585.aspx

2http://technet.microsoft.com/en-us/library/cc441532.aspx

Community Content

Page 4 of 4Configuring application settings for Forefront TMG Clients

25/12/2012http://technet.microsoft.com/en-us/library/ee658144(d=printer).aspx