Installing GFI WebMonitor in parallel with Microsoft Forefront TMG
GFI WebMonitor can be installed on the same machine where Microsoft Forefront TMGMicrosoft Forefront Threat Management Gateway. A Microsoft product that provides firewall and web proxy services. It also enables administrators to manage Internet access through policies. It is the successor of the Microsoft ISA Server and is part of the Microsoft Forefront line of business security software. is running.
When installed in parallel with Microsoft Forefront TMG, GFI WebMonitor performs web filtering and proxy functions. Microsoft Forefront TMG serves as a firewall. This setup also provides an alternative when it is not possible to add another dedicated machine in the network just for GFI WebMonitor.
GFI WebMonitor for TMG and GFI WebMonitor Standalone Proxy use two different sets of license key that are not interchangeable between them. Contact your reseller if you need to shift between these two modes.
NOTE
GFI WebMonitor cannot be deployed in Transparent Proxy mode when installing on a Microsoft Forefront TMG server. For more information refer to Configuring Transparent Proxy.
The installation process is similar to the regular GFI WebMonitor Proxy edition installation with an additional step that asks how to integrate GFI WebMonitor with Microsoft Forefront TMG. Choose Install as a proxy in parallel to Microsoft Forefront TMG to deploy using this method. For more information refer to Installing GFI WebMonitor.
After installation or upgrade is complete, client machines need to be configured to use GFI WebMonitor as proxy instead of Microsoft Forefront TMG. In the proxy settings of the client's browser the IP must point to the IP of the server and use port 8081. This can be done either by configuring every client browser manually or via GPO or by enabling WPAD.
Upgrading from GFI WebMonitor 2013 for TMG
GFI WebMonitor 11 does not support an direct upgrade from GFI WebMonitor 2013. You need to upgrade to GFI WebMonitor version 10 first and then continue with the upgrade to GFI WebMonitor 11.
The complete upgrade process from GFI WebMonitor version 2013 to version 11 has the following steps.
- Download and upgrade the 64-bit version of GFI Webmonitor 10.1 and follow the instructions in this article: https://www.gfi.com/support/products/gfi-webmonitor/How-to-upgrade-to-GFI-WebMonitor-10. Do not run the post-install wizard, but continue to the next step.
- Upgrade to GFI WebMonitor 11. For more information refer to Upgrading from GFI WebMonitor 10.
- Obtain the license key and continue with the post-install wizard. For more information refer to Using the Post-installation Configuration Wizard.
A new GFI WebMonitor license key is required. Contact your reseller. The license for GFI WebMonitor Proxy cannot be upgrade from the GFI WebMonitor TMG key.
During upgrade, the previously defined GFI WebMonitor configuration is retained and converted to the new format.
After the upgrade process is complete, the Configuration Wizard guides the user in setting up the most important settings. The proxy related settings contain pre-configured values if no such setting is detected from previous installations. The proxy listening port is set to 8081 instead of the default port of 8080, in order to avoid conflict with Microsoft Forefront TMG’s proxy.
Important notes:
- Once the setup is complete and client machines point to GFI WebMonitor, Internet traffic generated by these machines is captured by the GFI proxy and only this traffic is monitored or controlled by GFI WebMonitor. The Microsoft Forefront TMG firewall can still capture traffic via its own proxy or in transparent mode; however this traffic will not be seen by GFI WebMonitor.
- If GFI WebMonitor proxy is published on the network via WPADWeb Proxy AutoDiscovery protocol., Microsoft Forefront TMG firewall’s WPAD server needs to be de-activated in order to ensure all traffic is passing through the GFI WebMonitor proxy.
- Previous GFI WebMonitor rules on the Microsoft Forefront TMG firewall configuration are no longer in effect and they can be disabled or deleted.
- Microsoft Forefront TMG firewall remains operational and the GFI WebMonitor proxy works in parallel with the following Microsoft Forefront TMG operation modes:
- Single Network Adapter - Microsoft Forefront TMG with one network adapter connected to the Internal network or to a Perimeter network.
- Edge Firewall - Microsoft Forefront TMG located at the network edge, acting as an edge firewall and connected to two networks: the internal network and the external network (usually the Internet).
- 3-Leg Perimeter - Microsoft Forefront TMG deployed at the edge of the network, connected to the Internal network, the Perimeter network and the Internet.
- Back Firewall - Microsoft Forefront TMG deployed at the edge of the network, connected to the Internal network and the Perimeter network.