Deployment considerations for integration with Forefront TMG

Single Microsoft Forefront TMG configuration

The following illustration shows placement of Forcepoint URL Filtering policy enforcement and management components on 2 dedicated machines, separate from the Microsoft Forefront TMG server.

• The ISAPI Filter must be installed on the TMG machine so that Internet activity information can be communicated to Filtering Service.
• The Filtering Service and TMG machines must be able to communicate over the network.

The diagram provides a general overview and best practice location for your integration product, but does not show all components. Larger networks require web protection components to be distributed across several dedicated machines.

Array configuration

Forcepoint URL Filtering is compatible with most array configurations, including Cache Array Routing Protocol (CARP) arrays. It is a best practice to install web protection software outside an array of Forefront TMG machines. Install the ISAPI Filter on each member of the array. See the following illustration.

When web protection software is deployed in this configuration, all array members send Internet requests to Filtering Service outside the array.

Other configurations are possible. See your Microsoft Forefront TMG documentation for information about TMG configurations.

The diagram provides a general overview and best practice location for your integration product, but does not show all components. Larger networks require web protection components to be distributed across several dedicated machines.