Forefront TMG can be configured in various topologies or network scenario such as Edge Firewall, 3-leg perimeter, back firewall and single network adapter. In this article, I will configure Forefront TMG as a 3-leg perimeter. Before you can start, prepare windows server 2008 using Microsoft recommended hardware. Below is a standard systems requirement for TMG:
- Supported Operating Systems: Windows Server 2008 SP2 or Windows Server 2008 R2
- A computer with 4 core (2 CPU x dual core or 1 CPU x quad core) 64-bit processor
- 4 gigabytes (GB) or more of memory
- 2.5 GB of available hard disk space. This is exclusive of hard disk space that you want to use for caching or for temporarily storing files during malware inspection
- Two disk for system and TMG logging, and one for caching and malware inspection
- 3 network adapter (3-Leg Perimeter)
you can add multiple internal network ranges such as 10.10.11.1/24 and 10.10.12.1/24 in TMG but assigned internal NIC of TMG server will be just one. In this situation, you have to create vlans, IP routing and access rule in the core switch or layer 3 switch. You can add multiple perimeter networks also in your infrastructure. In this scenario, you have to assign specific NIC for specific perimeter network. You may visit specific server manufacturer web site to find out maximum number of supported NIC in a server hardware and Microsoft website to see supported maximum number of NICs in a physical and virtualized windows server. In real life DMZ and External network must have public IP addresses i.e. routable IP addresses.
In a perimeter, you can publish Exchange CAS, OCS and Sharepoint Frontend server or choice of your web server. The following Visio diagram depict a typical 3-leg perimeter or DMZ.
Install Windows server 2008 in a virtual or physical machine with recommended systems requirement. insert TMG DVD or mount TMG iso on virtual server. Run TMG preparation tools and Run Installation wizard. Follow my previous step by step TMG installation guide to install TMG. It would redundant to write again.
Configure 3-leg perimeter :
Open Forefront TMG Console>Select TMG Array>Launch Getting Started wizard from Task Pan. You will be presented with configuration wizard. Click Configure network settings>Click Next> Select 3-Leg Perimeter>Click Next.
Select internal, external and perimeter network on the following three steps. Remember, you must configure static IP for all NICs.
Now configure system settings and define deployment options on the next steps.
Click on networking option>verify all the settings by visiting property of internal and perimeter networks. You may add desired routing rules in the network rules.
DNS Configuration for Perimeter Network:
To allow LDAP authentication in perimeter network, right click on firewall policy>Click new>Click Access policy.
Type name of the policy>Click next>Click Allow>Click next
On the selected protocol, Add DNS, Kerberos-Admin (TCP), Kerberos-Admin (UDP), LDAP, LDAP(UDP), LDAP (GC), Kerberos-Sec (TCP), Kerberos-Sec (UDP), Microsoft CIFS (TCP), Microsoft CIFS (UDP), NTP, PING, RPC (All Interface). On the source, specify particular web server (or server) and on the destination specify AD DNS server. For this article, I am adding perimeter and internal network as a whole . However, in production environment I would not recommend to do so. For security season, by default everything is blocked in TMG server. you have to add protocols and rules one by one. Create specific rule for specific purpose.
Apply changes>Click ok. Right Click on the rule>Click property>verify all protocols, source and destination.
To publish any web server in the perimeter, follow the link provided in the relevant articles. To publish secure web sites, import web server certificates in TMG server and web server and follow the web publishing rule.