this is one of the topics that I am asked on a lot " how to deploy TMG array in workgroup" .8 out of 10 if you don’t know the steps you will fail . deploying the TMG in workgroup is all about the order you do it in . it’s that simple
I also have to say that until now there is no relation between joining the domain and the level of security the box have . so if you reason is to make it more secure then you will gain nothing instead you will lose some of the features . so my advice join it to the domain .if it possible
first you have to install TMG enterprise on both nodes full installation as you normally do
you must set the DNS suffix
Make sure that the managed server group has the IP range of the array
now you can harden the TMG by using the security wizard .
next step the certificates . because the installation is in workgroup the machine don’t have any way to authenticate each other . this is way we need certificates .
as a recommendation you should be using internal PKI (CA) but what if you don’t have one installed ???
if you are interested give a look on my posts about ADCS
this guide will show you have to create self signed certificate . not only that but how to used it to sign other certificates this will enable you to create certificate hierarchy without the need for CA . this is only supported in lab environment
down load windows 7 SDK we will be only using a small tool called makcert from it
you can get it from
Microsoft Windows SDK for Windows 7 and .NET Framework 4 (ISO)
for the full info about the tool please visit
now go to
make sure that you are on c:\program files\Microsoft sdks\windows\v7.1\bin\
and run the following command
makecert -pe -n "CN=TMGArrayRootCA" -ss my -sr LocalMachine -a sha1 -sky signature -r "TMG Array Root CA"
this command will create the Root Certificate that we will use to sign other certificates
next we run
don’t forget to change the names
makecert -pe -n "CN=TMG1.TMG.local" -ss my -sr LocalMachine -a sha1 -sky exchange -eku 220.127.116.11.18.104.22.168.1 -in "TMGArrayRootCA" -is MY -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 "TMG1.cer"
makecert -pe -n "CN=TMG2.TMG.local" -ss my -sr LocalMachine -a sha1 -sky exchange -eku 22.214.171.124.126.96.36.199.1 -in "TMGArrayRootCA" -is MY -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 "TMG2.cer"
you don’t need to create a certificate for the second node . but you will need it in case of a DR when you try to make this node the array manager
for the root CA DON’T EXPORTTHE PRIVTE KEY
now we move each Certificate to its node
don’t forget to install the root CA in the trusted root certification authorities for this to work
now we have a valid certificates for us to proceed