Configure 3-Leg Perimeter (DMZ) using Forefront TMG 2010—step by step


Forefront TMG can be configured in various topologies or network scenario such as Edge Firewall, 3-leg perimeter, back firewall and single network adapter. In this article, I will configure Forefront TMG as a 3-leg perimeter. Before you can start, prepare windows server 2008 using Microsoft recommended hardware. Below is a standard systems requirement for TMG:

  • Supported Operating Systems: Windows Server 2008 SP2 or Windows Server 2008 R2
  • A computer with 4 core (2 CPU x dual core or 1 CPU x quad core) 64-bit processor
  • 4 gigabytes (GB) or more of memory
  • 2.5 GB of available hard disk space. This is exclusive of hard disk space that you want to use for caching or for temporarily storing files during malware inspection
  • Two disk for system and TMG logging, and one for caching and malware inspection
  • 3 network adapter (3-Leg Perimeter)

Assumptions:

image

1

you can add multiple internal network ranges such as 10.10.11.1/24 and 10.10.12.1/24 in TMG but assigned internal NIC of TMG server will be just one. In this situation, you have to create vlans, IP routing and access rule in the core switch or layer 3 switch. You can add multiple perimeter networks also in your infrastructure. In this scenario, you have to assign specific NIC for specific perimeter network. You may visit specific server manufacturer web site to find out maximum number of supported NIC in a server hardware and Microsoft website to see supported maximum number of NICs in a physical and virtualized windows server. In real life DMZ and External network must have public IP addresses i.e. routable IP addresses.

In a perimeter, you can publish Exchange CAS, OCS and Sharepoint Frontend server or choice of your web server. The following Visio diagram depict a typical 3-leg perimeter or DMZ. 

image

Install Windows server 2008 in a virtual or physical machine with recommended systems requirement. insert TMG DVD or mount TMG iso on virtual server. Run TMG preparation tools and Run Installation wizard. Follow my previous step by step TMG installation guide to install TMG. It would redundant to write again.

Configure 3-leg perimeter :

   2

Open Forefront TMG Console>Select TMG Array>Launch Getting Started wizard from Task Pan. You will be presented with configuration wizard. Click Configure network settings>Click Next> Select 3-Leg Perimeter>Click Next.

 3 4

 5 6

 7 8

Select internal, external and perimeter network on the following three steps. Remember, you must configure static IP for all NICs.

9 10

11 12

 13 14

15 16

Now configure system settings and define deployment options on the next steps.

 17 18

 19 20

 21 22

 23 24

 25 26

 27

Click on networking option>verify all the settings by visiting property of internal and perimeter networks. You may add desired routing rules in the network rules.

DNS Configuration for Perimeter Network:

To allow LDAP authentication in perimeter network, right click on firewall policy>Click new>Click Access policy.

28

Type name of the policy>Click next>Click Allow>Click next

 29 30

On the selected protocol, Add DNS, Kerberos-Admin (TCP), Kerberos-Admin (UDP), LDAP, LDAP(UDP), LDAP (GC), Kerberos-Sec (TCP), Kerberos-Sec (UDP), Microsoft CIFS (TCP), Microsoft CIFS (UDP), NTP, PING, RPC (All Interface). On the source, specify particular web server (or server) and on the destination specify AD DNS server. For this article, I am adding perimeter and internal network as a whole . However, in production environment I would not recommend to do so. For security season, by default everything is blocked in TMG server. you have to add protocols and rules one by one. Create specific rule for specific purpose.

 31 32

 33 34

 35

Apply changes>Click ok. Right Click on the rule>Click property>verify all protocols, source and destination.

To publish any web server in the perimeter, follow the link provided in the relevant articles. To publish secure web sites, import web server certificates in TMG server and web server and follow the web publishing rule.

Relevant Articles:

Install and configure Forefront TMG step by step

Forefront Threat Management Gateway (TMG) 2010

Configure back to back perimeter step by step

Configure reverse proxy step by step

Publish Exchange Anywhere

Publish Exchange OWA

About Raihan Al-Beruni

My Name is Raihan Al-Beruni. I am working as an Infrastructure Architect in Data Center Technologies in Perth, Western Australia. I have been working on Microsoft technologies for more than 15 years. Other than Microsoft technologies I also work on Citrix validated solution and VMware data center virtualization technologies. I have a Masters degree in E-Commerce. I am certified in Microsoft, VMware, ITIL and EMC. My core focus is on cloud technologies. In my blog I share my knowledge and experience to enrich information technology community as a whole. I hope my contribution through this blog will help someone who wants more information on data center technologies.
This entry was posted in Windows Server and tagged , , , , . Bookmark the permalink.

36 Responses to Configure 3-Leg Perimeter (DMZ) using Forefront TMG 2010—step by step

  1. Pingback: How to configure Forefront TMG 2010 as WPAD server (Auto Proxy Discovery)—Step by Step | MicrosoftGURU

  2. peter says:

    i’ve published an internal webserver so that it can be reached from external. However, from my perimeter (all public ips) i can’t reach that webserver using its external domain name. Any ideas?

    Like

    • Right click on the rule you published>property and check orginating and destination sources. Is perimeter available on orginating list? Log on to domain management tool that is provided by ISP. Please check correct IP and FQDN added.
      Step1. Add proper cname and public ip through ISP or own tools
      step2. proper rules in router if in place might be blocking anything
      step3. publish rule in TMG

      Please let me know how you go.

      Like

  3. rb says:

    how to configure TMG as gateway of web server in single nic

    Like

  4. ali says:

    Dear Mr. Raihan
    I have setup a similar environment ie. 3-leg perimeter setup. Unfortunately, even after following the same steps above, my internal servers are not able to reach the internet. I am getting the following error:

    Technical Information (for support personnel)
    Error Code 11002: Host not found
    Background: This error indicates that the gateway could not find an authoritative DNS server for the website you are trying to access.
    Date: 6/4/2011 9:16:57 AM [GMT]
    Server: xxxxTMG.xxx.xx
    Source: DNS problem

    The internet seems to work fine on the TMG server.
    Any suggestions would be appreciated.

    Like

  5. Adnan Alam says:

    Assalam o Alaikum Raihan;
    I want to protect my servers from direct access either from internal network or External network. For this i want to design DMZ so that i can place all of servers onto DMZ using one TMG machine.
    i put three NICs into TMG machine.
    1. Internal 172.18.0.0/23
    2. External (Public IP)
    3. Perimeter 192.168.0.0/24 (Where i want to put all of my servers e.g. DC,ADC,SQL, Webserver, Antivirus server etc.

    Now i am testing TMG for this scenario.

    I installed TMG Enterprise and configured it as 3-leg and chose Private IPs in DMZ during installation. All network rules are published automatically and i made the firewall rules to all outbound from internal to external, internal to perimeter and perimeter to internal and external.
    Placed one system in DMZ and given it 192.168.0.2 address, TMG perimeter NIC has 192.168.0.30
    Now DMZ to Local Host and Internal to Local host all kind of communication is working fine but Internal to DMZ and DMZ to internal is not happening.
    When i ping from either internal or perimeter is gives “Destination host not found”
    Can this communication happen without giving Dual IPs to Client machines and how.

    Your reply would be great help.

    Regards;
    Adnan Alam,
    Express News Pakistan.

    Like

    • You need to create new rules for ping protocol. By default TMG block everything unless you define in rules. This is the best practice of any kind of firewall.
      Thanks for visiting my site and never greet people with “Assalam o Alaikum” you dont know personally instead say “hello or Dear”

      Like

      • Adnan Alam says:

        Hello Raihan;
        Did what you advised. Actually i configured my servers as it is as you mentioned in your guide here. created all rules you created like dns, ping, kerbaros etc. but no luck. actually my concept is not getting clear that how a 172.18.x.x client will be able to ping 192.168.x.x computers. It instantly replies for “Destination host unreachable”, how would it take out the ping request out of the interface? It is understandable for public IPs that it would use its artificial intelligence to judge that its a public ip and it would need to NAT it.
        Please help even if you think these foolish questions.
        Regards;
        Adnan Alam,
        Pakistan

        Like

      • Hello Adnan,
        You need to add proper routing rules in TMG. Such as 172.18.x.x route to 192.168.x.x
        Click Networking>Network rule>Create new rule> Add IP ranges
        Create a ping rule in firewall
        That should solve the problem
        Raihan

        Like

    • uzair says:

      Dear Adnan,

      ru talking about remote client (internet client), communication b/w perimeter and remote client is not working.

      Like

  6. GKHAN says:

    We have created 3-Legs Perimeter, from internal everything fine, but our probelm is from perimeter to inernal which is not accessible.

    Like

    • Create Network rule.
      TMG Console>Networking>Network Rule>Create new rule for perimeter to internal network.

      Like

      • GAKHAN says:

        I have created rule as per your instructions, but getting the below message

        Closed Connection “Server Name” 6/25/2011 2:59:57 PM
        Log type: Firewall service
        Status: A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake.
        Rule: Perimeter to Internal
        Source: Perimeter (172.16.2.2:1065)
        Destination: Local Host (192.168.1.23:8080)
        Protocol: HTTP Proxy

        Like

      • Did you added all the firewall policy you need? Did you added internal and DMZ networks in TMG?
        What sort of connection is declined by TMG? please let me know

        Like

  7. GAKHAN says:

    I have created rule as per your instructions, but getting the below message

    Closed Connection “Server Name” 6/25/2011 2:59:57 PM
    Log type: Firewall service
    Status: A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake.
    Rule: Perimeter to Internal
    Source: Perimeter (172.16.2.2:1065)
    Destination: Local Host (192.168.1.23:8080)
    Protocol: HTTP Proxy

    Like

  8. Mouzzam says:

    Hello Raihan

    Very nice article thanks for posting this..

    Like

  9. Bene says:

    Hi,
    I need your help to implement a structure that works with a firewall / router + ISA Server 2006 mode 3 leg perimeter. Do you have any step by step tutorial?

    Thank you.

    Like

  10. CArlos L. says:

    Hi, I have one topology of TMG with two EMS and Tw0 TMG Standard with NLB in the external, perimeter and internal. What area the best practice to routing and networking rules for this topology.

    Thanks.

    Like

  11. Rasheedah says:

    Good post however I saw tmg configs where only DNS is needed on the internal NIC as MS recommends. This is also how i set this up for my my clients. Just wondering in what case(s) would you put DNS entries on all 3 nics?

    Thanks

    Like

  12. Abdul Waheed says:

    great- thanks

    Like

  13. Abdul Waheed says:

    hi,

    i already have TMG Server in placed. i want to configure running TMG server with DMZ. i have created DMZ Network with seperate range. do i need to configure Netowrk Rule before creating Firewall Rule ? if yes then Route or Nat relationship and with what networks ?

    Like

  14. Pingback: How did this blog perform in the year of 2011 | Blog by Raihan Al-Beruni

  15. kondapalli says:

    Hi

    I have created Exchange test environment in my lab which is below scenario

    Internal – 192.168.0.1 t0 192.168.0.100
    Servers : 3 Exchange servers and 1 DC
    TMG2010 Server – Configure 3 network Adapters with below networks
    1 -Internal 192.168.0.2
    1 -Perimeter 192.168.2.1
    1-External 10.156.2.80
    EDGE Transport Server – Configured in Perimeter Network
    1- Perimeter 192.168.2.3

    The issue is I cant able to communicate Edge server to My internal network ,I follow you step and configured necessary firewall rules and network rule s but still getting ”
    “Destination host is not reachable error”

    I tried all the ways and search google I couldn’t found any solutions ,Appreciate i could provide Idea on this .

    Like

    • How many nics you have in Edge server? If single then default gateway of edge server is 192.168.2.1 please check all subnet mask and relationship inbetween internal-perimeter internal-public.

      everything is blocked in TMG by default. allow ping and try again. publish rules whatever is required to fullfil your need. update me once you checked all these.

      Like

      • kondapalli says:

        Hi

        Thanks for update

        i have chked the Edge Server is configured with singale adapter with the ipaddress 192.168.2.1 and Dns 192.168.0.2 (internal)

        Netwrok Rules :
        Configure Route internal to perimeter
        COnfigure NAT Perimeter to External

        Firewall rules :

        Configure All protocols from Perimeter to Internall netwroks

        But still i cant able to communicate ,

        Like

      • you dont have to confiure all protocol from perimeter to internal.
        Create required rules to and from perimeter and internal vise-versa and test. You may allowed traffic oneway and trying to use otherway.

        Like

  16. Luis Gomes says:

    In this 3-leg configuration do you recommend that the TMG Server should be joined to the Domain ?

    Because actually i have 2 isa 2006 servers (frontend isa (workgroup) and backend isa (domain member)) and because of the numbers of licenses from microsoft i now have to have only 1 firewall server (tmg 2010).

    in my DMZ i only have one ftp server and one web server everything else (smtp – ad ) is in my internal.

    what do you recommend.

    Please give me your feedback.

    Best Regards

    Like

  17. Luis Gomes says:

    I have doubt about this 3-leg configuration, should i have the tmg server joined to the domain ?

    I actually have two isa 2006 servers (isa frontend (workgroup) isa backend (domain)),
    but i have to change to only 1 TMG server because of license issues and i´m thinking of using this 3-leg configuration.

    On my DMZ i only have 1 ftp server and 1 web server.

    Could you please tell me what do you recommend.

    Please give me feedback on my questions

    Best Regards

    LG

    Like

  18. sujay says:

    Good Morning,

    I’ve got a simple lab vmware setup. so far a Internal network (has DC with DNS), Perimeter (has one FTP Server) and the External internetwork NIC.

    DC /w DNS has
    IP 10.1.1.1
    GW 10.1.1.2 (internal NIC of TMG)
    DNS 10.1.1.1
    DNS Fowarder to 8.8.8.8

    FTP Server has
    IP 20.1.1.1
    GW 20.1.1.2 (perimeter NIC of TMG)
    no 10.1.1.1

    TMG External Internet NIC has
    IP – 192.168.0.1 (modem)
    GW – 192.168.0.1 (modem)
    DNS – 192.168.0.1 (modem)
    TMG Internal NIC has
    IP – 10.1.1.2
    GW – no GW
    DNS – 10.1.1.1

    TMG Perimeter NIC has
    IP – 20.1.1.2
    GW – no GW
    DNS – no DNS

    – I’m not able to ping google.com from my DNS unless I have ICS enabled on my TMG external NIC but I can ICS bind only to one Internal or Perimeter NIC.
    Is there any additional setting i’ve missed out like enabling Routing / etc on the TMG.
    And If i enable ICS the TMG installation doesn’t complete or I can configure a 3-leg topology. If i disable and install TMG, ICS can’t be enabled it later and will not let my perimeter network to communicate to external sites.

    Like

    • you dont need enable ICS on TMG server. You need allow HTTP/HTTPS traffic to and from your desired destination. make sure you create firewall rules. web access rules etc.
      Create Topology in TMG that means Use TMG MMC>TMG Server Name>Start Up wizard>Create 2-leg perimeter.

      There is no need add DNS and Default gateway on the internal and perimeter NIC. TMG>Monitor>add connectivity verifier like AD, DNS and Web.

      COnfigure Proxy. TMG>networking>Internal Network>Property>Web Proxy

      COnfigure IE of DNS server to use Proxy and than browse. Make sure you can browse internet from TMG server.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s