Configure 3-Leg Perimeter (DMZ) using Forefront TMG 2010—step by step

Forefront TMG can be configured in various topologies or network scenario such as Edge Firewall, 3-leg perimeter, back firewall and single network adapter. In this article, I will configure Forefront TMG as a 3-leg perimeter. Before you can start, prepare windows server 2008 using Microsoft recommended hardware. Below is a standard systems requirement for TMG:

  • Supported Operating Systems: Windows Server 2008 SP2 or Windows Server 2008 R2
  • A computer with 4 core (2 CPU x dual core or 1 CPU x quad core) 64-bit processor
  • 4 gigabytes (GB) or more of memory
  • 2.5 GB of available hard disk space. This is exclusive of hard disk space that you want to use for caching or for temporarily storing files during malware inspection
  • Two disk for system and TMG logging, and one for caching and malware inspection
  • 3 network adapter (3-Leg Perimeter)




you can add multiple internal network ranges such as and in TMG but assigned internal NIC of TMG server will be just one. In this situation, you have to create vlans, IP routing and access rule in the core switch or layer 3 switch. You can add multiple perimeter networks also in your infrastructure. In this scenario, you have to assign specific NIC for specific perimeter network. You may visit specific server manufacturer web site to find out maximum number of supported NIC in a server hardware and Microsoft website to see supported maximum number of NICs in a physical and virtualized windows server. In real life DMZ and External network must have public IP addresses i.e. routable IP addresses.

In a perimeter, you can publish Exchange CAS, OCS and Sharepoint Frontend server or choice of your web server. The following Visio diagram depict a typical 3-leg perimeter or DMZ. 


Install Windows server 2008 in a virtual or physical machine with recommended systems requirement. insert TMG DVD or mount TMG iso on virtual server. Run TMG preparation tools and Run Installation wizard. Follow my previous step by step TMG installation guide to install TMG. It would redundant to write again.

Configure 3-leg perimeter :


Open Forefront TMG Console>Select TMG Array>Launch Getting Started wizard from Task Pan. You will be presented with configuration wizard. Click Configure network settings>Click Next> Select 3-Leg Perimeter>Click Next.

 3 4

 5 6

 7 8

Select internal, external and perimeter network on the following three steps. Remember, you must configure static IP for all NICs.

9 10

11 12

 13 14

15 16

Now configure system settings and define deployment options on the next steps.

 17 18

 19 20

 21 22

 23 24

 25 26


Click on networking option>verify all the settings by visiting property of internal and perimeter networks. You may add desired routing rules in the network rules.

DNS Configuration for Perimeter Network:

To allow LDAP authentication in perimeter network, right click on firewall policy>Click new>Click Access policy.


Type name of the policy>Click next>Click Allow>Click next

 29 30

On the selected protocol, Add DNS, Kerberos-Admin (TCP), Kerberos-Admin (UDP), LDAP, LDAP(UDP), LDAP (GC), Kerberos-Sec (TCP), Kerberos-Sec (UDP), Microsoft CIFS (TCP), Microsoft CIFS (UDP), NTP, PING, RPC (All Interface). On the source, specify particular web server (or server) and on the destination specify AD DNS server. For this article, I am adding perimeter and internal network as a whole . However, in production environment I would not recommend to do so. For security season, by default everything is blocked in TMG server. you have to add protocols and rules one by one. Create specific rule for specific purpose.

 31 32

 33 34


Apply changes>Click ok. Right Click on the rule>Click property>verify all protocols, source and destination.

To publish any web server in the perimeter, follow the link provided in the relevant articles. To publish secure web sites, import web server certificates in TMG server and web server and follow the web publishing rule.

Relevant Articles:

Install and configure Forefront TMG step by step

Forefront Threat Management Gateway (TMG) 2010

Configure back to back perimeter step by step

Configure reverse proxy step by step

Publish Exchange Anywhere

Publish Exchange OWA

36 thoughts on “Configure 3-Leg Perimeter (DMZ) using Forefront TMG 2010—step by step

  1. Pingback: How to configure Forefront TMG 2010 as WPAD server (Auto Proxy Discovery)—Step by Step | MicrosoftGURU

  2. i’ve published an internal webserver so that it can be reached from external. However, from my perimeter (all public ips) i can’t reach that webserver using its external domain name. Any ideas?


    • Right click on the rule you published>property and check orginating and destination sources. Is perimeter available on orginating list? Log on to domain management tool that is provided by ISP. Please check correct IP and FQDN added.
      Step1. Add proper cname and public ip through ISP or own tools
      step2. proper rules in router if in place might be blocking anything
      step3. publish rule in TMG

      Please let me know how you go.


  3. Dear Mr. Raihan
    I have setup a similar environment ie. 3-leg perimeter setup. Unfortunately, even after following the same steps above, my internal servers are not able to reach the internet. I am getting the following error:

    Technical Information (for support personnel)
    Error Code 11002: Host not found
    Background: This error indicates that the gateway could not find an authoritative DNS server for the website you are trying to access.
    Date: 6/4/2011 9:16:57 AM [GMT]
    Source: DNS problem

    The internet seems to work fine on the TMG server.
    Any suggestions would be appreciated.


  4. Assalam o Alaikum Raihan;
    I want to protect my servers from direct access either from internal network or External network. For this i want to design DMZ so that i can place all of servers onto DMZ using one TMG machine.
    i put three NICs into TMG machine.
    1. Internal
    2. External (Public IP)
    3. Perimeter (Where i want to put all of my servers e.g. DC,ADC,SQL, Webserver, Antivirus server etc.

    Now i am testing TMG for this scenario.

    I installed TMG Enterprise and configured it as 3-leg and chose Private IPs in DMZ during installation. All network rules are published automatically and i made the firewall rules to all outbound from internal to external, internal to perimeter and perimeter to internal and external.
    Placed one system in DMZ and given it address, TMG perimeter NIC has
    Now DMZ to Local Host and Internal to Local host all kind of communication is working fine but Internal to DMZ and DMZ to internal is not happening.
    When i ping from either internal or perimeter is gives “Destination host not found”
    Can this communication happen without giving Dual IPs to Client machines and how.

    Your reply would be great help.

    Adnan Alam,
    Express News Pakistan.


    • You need to create new rules for ping protocol. By default TMG block everything unless you define in rules. This is the best practice of any kind of firewall.
      Thanks for visiting my site and never greet people with “Assalam o Alaikum” you dont know personally instead say “hello or Dear”


      • Hello Raihan;
        Did what you advised. Actually i configured my servers as it is as you mentioned in your guide here. created all rules you created like dns, ping, kerbaros etc. but no luck. actually my concept is not getting clear that how a 172.18.x.x client will be able to ping 192.168.x.x computers. It instantly replies for “Destination host unreachable”, how would it take out the ping request out of the interface? It is understandable for public IPs that it would use its artificial intelligence to judge that its a public ip and it would need to NAT it.
        Please help even if you think these foolish questions.
        Adnan Alam,


      • Hello Adnan,
        You need to add proper routing rules in TMG. Such as 172.18.x.x route to 192.168.x.x
        Click Networking>Network rule>Create new rule> Add IP ranges
        Create a ping rule in firewall
        That should solve the problem


  5. We have created 3-Legs Perimeter, from internal everything fine, but our probelm is from perimeter to inernal which is not accessible.


      • I have created rule as per your instructions, but getting the below message

        Closed Connection “Server Name” 6/25/2011 2:59:57 PM
        Log type: Firewall service
        Status: A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake.
        Rule: Perimeter to Internal
        Source: Perimeter (
        Destination: Local Host (
        Protocol: HTTP Proxy


      • Did you added all the firewall policy you need? Did you added internal and DMZ networks in TMG?
        What sort of connection is declined by TMG? please let me know


  6. I have created rule as per your instructions, but getting the below message

    Closed Connection “Server Name” 6/25/2011 2:59:57 PM
    Log type: Firewall service
    Status: A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake.
    Rule: Perimeter to Internal
    Source: Perimeter (
    Destination: Local Host (
    Protocol: HTTP Proxy


  7. Hi,
    I need your help to implement a structure that works with a firewall / router + ISA Server 2006 mode 3 leg perimeter. Do you have any step by step tutorial?

    Thank you.


  8. Hi, I have one topology of TMG with two EMS and Tw0 TMG Standard with NLB in the external, perimeter and internal. What area the best practice to routing and networking rules for this topology.



  9. Good post however I saw tmg configs where only DNS is needed on the internal NIC as MS recommends. This is also how i set this up for my my clients. Just wondering in what case(s) would you put DNS entries on all 3 nics?



  10. hi,

    i already have TMG Server in placed. i want to configure running TMG server with DMZ. i have created DMZ Network with seperate range. do i need to configure Netowrk Rule before creating Firewall Rule ? if yes then Route or Nat relationship and with what networks ?


  11. Pingback: How did this blog perform in the year of 2011 | Blog by Raihan Al-Beruni

  12. Hi

    I have created Exchange test environment in my lab which is below scenario

    Internal – t0
    Servers : 3 Exchange servers and 1 DC
    TMG2010 Server – Configure 3 network Adapters with below networks
    1 -Internal
    1 -Perimeter
    EDGE Transport Server – Configured in Perimeter Network
    1- Perimeter

    The issue is I cant able to communicate Edge server to My internal network ,I follow you step and configured necessary firewall rules and network rule s but still getting ”
    “Destination host is not reachable error”

    I tried all the ways and search google I couldn’t found any solutions ,Appreciate i could provide Idea on this .


    • How many nics you have in Edge server? If single then default gateway of edge server is please check all subnet mask and relationship inbetween internal-perimeter internal-public.

      everything is blocked in TMG by default. allow ping and try again. publish rules whatever is required to fullfil your need. update me once you checked all these.


      • Hi

        Thanks for update

        i have chked the Edge Server is configured with singale adapter with the ipaddress and Dns (internal)

        Netwrok Rules :
        Configure Route internal to perimeter
        COnfigure NAT Perimeter to External

        Firewall rules :

        Configure All protocols from Perimeter to Internall netwroks

        But still i cant able to communicate ,


      • you dont have to confiure all protocol from perimeter to internal.
        Create required rules to and from perimeter and internal vise-versa and test. You may allowed traffic oneway and trying to use otherway.


  13. In this 3-leg configuration do you recommend that the TMG Server should be joined to the Domain ?

    Because actually i have 2 isa 2006 servers (frontend isa (workgroup) and backend isa (domain member)) and because of the numbers of licenses from microsoft i now have to have only 1 firewall server (tmg 2010).

    in my DMZ i only have one ftp server and one web server everything else (smtp – ad ) is in my internal.

    what do you recommend.

    Please give me your feedback.

    Best Regards


  14. I have doubt about this 3-leg configuration, should i have the tmg server joined to the domain ?

    I actually have two isa 2006 servers (isa frontend (workgroup) isa backend (domain)),
    but i have to change to only 1 TMG server because of license issues and i´m thinking of using this 3-leg configuration.

    On my DMZ i only have 1 ftp server and 1 web server.

    Could you please tell me what do you recommend.

    Please give me feedback on my questions

    Best Regards



  15. Good Morning,

    I’ve got a simple lab vmware setup. so far a Internal network (has DC with DNS), Perimeter (has one FTP Server) and the External internetwork NIC.

    DC /w DNS has
    GW (internal NIC of TMG)
    DNS Fowarder to

    FTP Server has
    GW (perimeter NIC of TMG)

    TMG External Internet NIC has
    IP – (modem)
    GW – (modem)
    DNS – (modem)
    TMG Internal NIC has
    IP –
    GW – no GW
    DNS –

    TMG Perimeter NIC has
    IP –
    GW – no GW
    DNS – no DNS

    – I’m not able to ping from my DNS unless I have ICS enabled on my TMG external NIC but I can ICS bind only to one Internal or Perimeter NIC.
    Is there any additional setting i’ve missed out like enabling Routing / etc on the TMG.
    And If i enable ICS the TMG installation doesn’t complete or I can configure a 3-leg topology. If i disable and install TMG, ICS can’t be enabled it later and will not let my perimeter network to communicate to external sites.


    • you dont need enable ICS on TMG server. You need allow HTTP/HTTPS traffic to and from your desired destination. make sure you create firewall rules. web access rules etc.
      Create Topology in TMG that means Use TMG MMC>TMG Server Name>Start Up wizard>Create 2-leg perimeter.

      There is no need add DNS and Default gateway on the internal and perimeter NIC. TMG>Monitor>add connectivity verifier like AD, DNS and Web.

      COnfigure Proxy. TMG>networking>Internal Network>Property>Web Proxy

      COnfigure IE of DNS server to use Proxy and than browse. Make sure you can browse internet from TMG server.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.