2

I'd love to see some good guidance on the following scenario:

  1. Customer has a requirement to publish Exchange services securely over the Internet.
  2. The Customer has an existing hardware firewall and as such TMG should have a single nic on the DMZ segment.
  3. TMG should be domained joined to allow KCD. (I know you could do LDAP/s but domain joined clients are forced to enter credentials in this situation which most customers cringe at.)
  4. Access from DMZ hosts to internal is locked to required ports only, so what ports are required for AD authenticatoin.
  5. Customer requires FBA authentication internall and externally for WebApp.
  6. There are multiple CAS boxes with NLB.

This is a complex scenarios but I believe it is also a common scenario which lacks any good documentation or guidance.

Jacob
  • 322
  • 1
  • 10

1 Answers1

1

Separate out the issues here, as it's not quite as messy as you think:

  1. OK

  2. This doesn't follow directly, and using two NICs, one external, one internal, would be the simplest method of allowing TMG to be a domain member as well as a DMZ host. Firewall admins often dislike this configuration unless they're comfortable with TMG configuration, as it creates another point of potential misconfiguration that might allow access to internal network resources.

  3. (and 4) LDAP wouldn't cause an additional prompt - you're using Forms-based authentication, so the whole web page is one big prompt!

  4. The requirements for a domain member are well documented. Assume they hold true for any member server, including TMG. See http://support.microsoft.com/kb/832017 for the details.

  5. OK, FBA can use an authentication source of practically anything - LDAP, RADIUS, Basic, Integrated, you name it.

  6. It'd possibly be better to address them individually using the built-in Web Farm configuration, otherwise don't, and specify the VIP instead. Also keep in mind that if TMG doesn't know about the Web Farm itself, and an affinity other than None is used, all the connections coming from TMG will end up on the same CAS box with default "Requests appear to come from the TMG computer" Web Publishing settings.

The rest is just following along from the Exchange 2010 with TMG 2010 guide, from here: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=894bab3e-c910-4c97-ab22-59e91421e022&displaylang=en

TristanK
  • 8,953
  • 2
  • 27
  • 39
  • About point 6: this is only true is TMG is set to mask the actual client IP address with its own one (which I don't think is good practice, as it makes the web server logs almost useless). – Massimo Mar 15 '11 at 09:35
  • Yep - but also the default, and doesn't require the web servers to have their default gateway include the TMG box on egress. But worth an edit to make that clearer. Ta! (actually, does that even work with a single nic?) – TristanK Mar 15 '11 at 10:11