TMG Delegated Aministration

I have been running ISA deployments for years without ever needing to delegate administration to anyone.  I now have a requirement to allow this sort of thing and was very happy to find that it is very easy to deploy.

There are three roles to choose from:

Role	Permissions
Forefront TMG Array Monitoring Auditor	Monitor basic server and network activity across a Forefront TMG array. Cannot view the Forefront TMG configuration.
Forefront TMG Array Auditor	Perform all monitoring tasks across a Forefront TMG array, including most log configuration and alert definition configuration, with the following exceptions: Cannot configure a different user account when publishing reports. Cannot customize report contents. In addition, Forefront TMG array auditors can view the Forefront TMG configuration.
Forefront TMG Array Administrator	Perform any administrative task across a Forefront TMG array, including rule configuration, applying of network templates, and monitoring, as well as running highly privileged processes on the Forefront TMG server

Te following matrix gives you a breakdown of the functions the various roles can perform:

 

Action	Monitoring Auditor	Auditor	Administrator
View Dashboard, alerts, connectivity, sessions, services	Allowed	Allowed	Allowed
Acknowledge and reset alerts	Allowed	Allowed	Allowed
View log information	Not allowed	Allowed	Allowed
Create alert definitions	Not allowed	Not allowed	Allowed
Create reports	Not allowed	Allowed	Allowed
Stop and start sessions and services	Not allowed	Allowed	Allowed
View firewall policy	Not allowed	Allowed	Allowed
Configure firewall policy	Not allowed	Not allowed	Allowed
Configure cache	Not allowed	Not allowed	Allowed
Configure a virtual private network (VPN)	Not allowed	Not allowed	Allowed
Drain and stop network load balanced (NLB) firewall or Web Proxy load balanced server	Not allowed	Allowed	Allowed
View local configuration (in Active Directory Lightweight Directory Services on array member)	Not allowed	Allowed	Allowed
Change local configuration (in Active Directory Lightweight Directory Services on array member)	Not allowed	Not allowed	Allowed

Setting this up is pretty straight forward. 

• Open the TMG management console
• Right click your array and select properties
• Select the Assign Roles tab.
• Add your user and select the Role you want them to have.

So this is part one sorted.  Nice and neat, quick and easy. But how are your users going to gain access to your TMG array to administer it?

The two methods normally being used is to allow your administrators to RDP to the TMG server.  The other preferred method is to allow MMC access to the TMG server. One small catch to both these methods.  You need to configure the system policy to grant access to this.

• Open the TMG management console
• Click Firewall Policy
• On the right hand side click Edit system policy
• Under the remote management section you will see Microsoft Management Console and Terminal Server
• To enable this access check Enable this configuration group.
• In the From tab you need to specify your "trusted network or computers or computer group"

Typically an administrator might have access from his laptop to administer and application.  But with TMG you can only specify a network or a computer group.  These have to be tied to and IP.  If the client laptop is a DHCP client this is not going to work if the ip changes.

I suggest having a "Management server" that your administrators can connect to and that only that server has access to manage your TMG environment. This allows you to restrict access to a single IP that you can manage properly with AV etc.

When I build my multi array enterprise configuration I will update this article on how to best administer an enterprise deployment.

For more info you can always check out the MS articles http://technet.microsoft.com/en-us/library/dd441007.aspx