2

We have decided to test and then deploy a Forefront TMG server on our network of 50 - 75 users (Windows 7, XP Clients, Windows Server 2008R2 Servers and a few Linux Boxes)

Our Network Topology is :

4 Floors (4 Lan Switches) > Connected to a Core Switch in our Server Room > Core Switch Connected to our Cisco Router on FA 0/1 > Cisco Router FA 0/0 Connected to our ISP (WAN).

At this moment our DHCP is running on our cisco router and it is also the default gateway for our LAN : Default Gateway : 192.168.1.1

My Question is :

TMG Server has 2 NICs (One is Connected to our LAN Switch - TMG NIC IP : 192.168.1.200)

During Forefront TMG Installation, I added the range 192.168.1.1 - 192.168.1.254 on Adapter Selection during installation,

Once the install completes, how shall I redirect my clients, so that all network and internet traffic goes via TMG NIC 192.168.1.200

What IP Shall I assign to the 2nd NIC on the TMG Server ?

Where shall that 2nd NIC be connected ?

Shall I place TMG Server with DUAL NICS between our Core LAN Switch and Router or Behind the Core Switch ?

Will be grateful for your assistance on this, we would use this for content filtering and web blocking and other features.

Thanks for reading !

Thank you for your reply : I have more then 3 questions now :-)

Q.1 : If I have 3 ISP Connections and 4NICS on our TMG Server, Can I connect all of them and have TMG Load-Balance / Failover them ?

Q.2 : Can TMG Dial a PPPOE Connection ? say All 3 ISPs require us to dial a pppoe - is it possible to configure that for each nic ?

Q.3 : We also have a Cisco router acting as our WAN Router at the moment, only plugged into 1 ISP, When I configure TMG to loadbalance all 3 WANs, shall I just remove cisco out of the topology or how would I connect TMG and Cisco? A bit confused here - will be grateful if you could assist on this - if this is possible.

Q.4 : If I had ONLY 1 (ONE) Nic on our TMG Server, would it connect to our LAN Switch and then we would specify its address on our W7 / XP Clients so it acts as a caching server / web filter ?

Q.5 : How do we route all internal internet traffic so that it only goes through our TMG server - if we were to use this for caching and web filtering only ?

Once again thanks for your reply - I am just testing this at the moment, I have setup an AD 2008R2 Box, TMG is joined to the domain and has 4 Network Cards installed and configured. TMG is currently plugged into our LAN Switch

Mutahir
  • 2,347
  • 2
  • 32
  • 42

1 Answers1

2

You'll need the second NIC in a different subnet in order for Windows routing to be happy. Then, TMG NATs between the internal subnet, and the external subnet (using the Edge layout anyway).

To push all traffic through the TMG box, point clients to it as the default gateway. It's likely to be a fairly major change to how the network works at the moment, so have a rollback strategy.

In order to do this most easily (but with a significant change), switch the current D.G. to a different subnet (say, a 10.x subnet so it's nice and visually differentiated), plug the other TMG adapter into that subnet, and allow that subnet to be considered external by TMG (i.e. do not include it as an "internal" network) - that way, anything not in the currently-defined Internal IP range will be considered potentially hostile. (Or at least External; TMG doesn't trust Internal networks implicitly).

The 10.x network essentially becomes a DMZ of sorts - your router (I assume is currently NATting to the ISP) can forward incoming requests to the external interface on the TMG box, and TMG firewall policy will control all traffic into and out of the 192.168.1.x network.

For ease of migration, if you go with that, the internal interface of TMG should assume the old IP of the router, i.e. the already-configured-on-clients default gateway.

For advanced Web use, i.e. authentication if required, configure WPAD to give clients explicit knowledge of the proxy.

Alternatively, leave everything as it is, ignore the second NIC, and use TMG as an explicit web proxy, configured either as http://tmg:8080 on clients, or through WPAD. It won't do whole-network content filtering, but it will at least do web traffic scanning in that configuration, and allow you time to get more familiar with it before embarking on the Massive Outage Path.

Better still, test your intended setup using a lab or virtual machines.

Just a thought.

Edit: One more very, very general tip: At some point, you're going to be tempted to create a rule that says "Allow anything anywhere anytime". If you do succumb to that temptation, make sure you exclude the Local Host network from it, so that at least TMG is still performing some local packet filtering to defend itself from nasty internal/external clients. (NAT tends to take care of most incoming traffic from outside, but there's always external misconfiguration to worry about).

If you want TMG to be able to connect to, or be connected to by, something, System Policy is where to do that. And as another-nother tip, if you don't allow any incoming connections to TMG other than RDP, you'll basically* be able to ignore* most* security updates* that are released*. Which is nice for the uptime. Plus! NIS gets updates when MSRC release bulletins, so there's an additional level of protection there too. Just don't get complacent.

' * - don't do this.

TristanK
  • 8,953
  • 2
  • 27
  • 39
  • Hi Tristan, I have added some more questions :-) to my original post, will be grateful for your insight – Mutahir Jun 16 '11 at 20:53
  • I think it'd be better to set up new capital-Q-Questions for each question - that's generally how the stackexchange network works. People with expertise in each can then answer without it ending up threaded and messy? – TristanK Jun 17 '11 at 00:56
  • Q4: yes. This is a "single NIC" deployment - there are instructions for it on Technet. – TristanK Jun 17 '11 at 00:56