In a centrally managed Forefront TMG deployment, an enterprise administrator can define configuration settings that apply to all Forefront TMG computers in the enterprise, and an array administrator can define configuration settings that apply to a single array. The enterprise configuration is represented by the FPCEnterprise object, and an array configuration is represented by an FPCArray object. The enterprise-level settings and the array-level settings for all the arrays in an enterprise are stored centrally on Configuration Storage servers. Each Forefront TMG computer in an enterprise obtains the enterprise configuration settings and the array configuration settings for its array from a Configuration Storage server and maintains a locally stored effective configuration that is derived from the enterprise configuration and the applicable array configuration.
The enterprise configuration can include enterprise-level security roles, enterprise policies, enterprise networks, rule elements, and configuration settings for add-ins. For more information about enterprise policies and enterprise networks, see Enterprise Policies and Enterprise Networks.
Enterprise-level configuration settings that will be available to all Forefront TMG computers in all arrays in the enterprise can be introduced for enterprise-level rule elements, application filters, and Web filters by attaching vendor parameters sets to the enterprise-level objects representing them.
The configuration settings in a vendor parameters set created on an enterprise-level object are combined into the effective configuration stored locally on each Forefront TMG computer and can be retrieved by accessing the vendor parameters sets attached to the corresponding array-level object. If two vendor parameters sets with different globally unique identifiers (GUIDs) are defined for the same rule element or filter, one in the enterprise configuration and one in the array configuration, both of them can be accessed through the VendorParametersSets property of the array-level object. We do not recommend defining vendor parameters sets with the same GUID for the same filter or rule element in both the enterprise and array configurations, because there will be only one vendor parameters set for it in the effective configuration, and the array-level parameters will be overridden by the enterprise-level parameters and lost.
An array administrator can define rule elements that can be used for configuring rules that apply to all the Forefront TMG computers in an array. An enterprise administrator can define a single set of enterprise-level rule elements that can be used when configuring rules in any enterprise policy and when creating array-level rules. The rule elements that can be defined on the enterprise level include content type sets, schedules, protocols, user sets, and sets of various types of network entities.
If a protocol is defined with the same GUID in both the enterprise and array configurations, there will be only one protocol definition for it in the effective configuration, and the enterprise-level properties will override the array-level properties. If vendor parameters sets with different GUIDs are attached to the definitions of this protocol in the enterprise and array configurations, both vendor parameters sets can be found in the combined protocol definition in the effective configuration.
Application filters and Web filters can be registered in the collections of filters in the enterprise configuration and in array configurations. Registering a filter in the array configuration is required for enforcing its policy in the array. Registering a filter in the enterprise configuration is optional, but provides several benefits. When you register a filter on the enterprise level, you can do the following:
- Introduce an enterprise-wide configuration by attaching vendor parameters sets to the filter object and enterprise nodes that will be available to all Forefront TMG computers in all arrays in the enterprise.
- Enable or disable the filter on the enterprise level. If an application filter or Web filter is enabled in the enterprise configuration, the enterprise setting is applied to each array, and the filter cannot be disabled in an array configuration. If an application filter or Web filter is disabled in the enterprise configuration, it can be enabled or disabled in an array configuration.
- Extend Forefront TMG Management by adding property pages for setting enterprise configuration settings for the filter.
Build date: 7/12/2010