forefront TMG 2010 ... UPnP Port mapping

Question

I've tried googling the answer for a few days now, have come up with very little apart from

http://retrohack.com/how-to-enable-xbox-live-behind-tmg-2010/

but can only publish ports on 1 ip address which isn't ideal as we have a few xbox's on our LAN

Essentially my 2008 R2 box is running forefront TMG as an Edge device.
i.e. 1x NIC connect to Internet directly 1x NIC Connected to private LAN (NAT'd)

I want to set TMG to allow UPnP devices to auto port map.. can this be done?(im aware of the security implications that this causes)

I essentially want be able to connect multiple Xbox's with full Xbox Live support.

Answer 1

Aceth, Thanks for checking out my post on RetroHack. To the best of my knowledge, there is no UPnP support on any 'enterprise' class firewall product, be it TMG, a Cisco ASA, a Juniper SG, or any other. The market seems to consider UPnP a home service, and no one would put a game console in at work. I guess they have never worked at a startup/dotcom/otherwise completely cool shop, or tried to run their own stuff at home. I really hope someone else pops in with an answer, but the whole reason I had to do all that on my TMG, and then posted how to do it was because lacking UPnP, that was the only way to get it to work. I'll keep an eye out here and elsewhere in case something pops up. Best of luck. Ed

Answer 2

There's no UPNP support for TMG, but I did come up with a system that got it working. It might be a bit late for this particular question, but I blogged my config here:

Xbox Live vs TMG 2010

Edit: (Had a problem with one friend originally - turned out to be his double-router setup at issue and it's fixed now)… So it's a solution for me!

Incidentally, it'll always appear as Strict NAT - it works anyway, though. Same solution should work for ISA 2006.