Forefront TMG can be configured in various topologies or network scenario such as Edge Firewall, 3-leg perimeter, back firewall and single network adapter. In this article, I will configure Forefront TMG as a 3-leg perimeter. Before you can start, prepare windows server 2008 using Microsoft recommended hardware. Below is a standard systems requirement for TMG:
- Supported Operating Systems: Windows Server 2008 SP2 or Windows Server 2008 R2
- A computer with 4 core (2 CPU x dual core or 1 CPU x quad core) 64-bit processor
- 4 gigabytes (GB) or more of memory
- 2.5 GB of available hard disk space. This is exclusive of hard disk space that you want to use for caching or for temporarily storing files during malware inspection
- Two disk for system and TMG logging, and one for caching and malware inspection
- 3 network adapter (3-Leg Perimeter)
Assumptions:
you can add multiple internal network ranges such as 10.10.11.1/24 and 10.10.12.1/24 in TMG but assigned internal NIC of TMG server will be just one. In this situation, you have to create vlans, IP routing and access rule in the core switch or layer 3 switch. You can add multiple perimeter networks also in your infrastructure. In this scenario, you have to assign specific NIC for specific perimeter network. You may visit specific server manufacturer web site to find out maximum number of supported NIC in a server hardware and Microsoft website to see supported maximum number of NICs in a physical and virtualized windows server. In real life DMZ and External network must have public IP addresses i.e. routable IP addresses.
In a perimeter, you can publish Exchange CAS, OCS and Sharepoint Frontend server or choice of your web server. The following Visio diagram depict a typical 3-leg perimeter or DMZ.
Install Windows server 2008 in a virtual or physical machine with recommended systems requirement. insert TMG DVD or mount TMG iso on virtual server. Run TMG preparation tools and Run Installation wizard. Follow my previous step by step TMG installation guide to install TMG. It would redundant to write again.
Configure 3-leg perimeter :
Open Forefront TMG Console>Select TMG Array>Launch Getting Started wizard from Task Pan. You will be presented with configuration wizard. Click Configure network settings>Click Next> Select 3-Leg Perimeter>Click Next.
Select internal, external and perimeter network on the following three steps. Remember, you must configure static IP for all NICs.
Now configure system settings and define deployment options on the next steps.
Click on networking option>verify all the settings by visiting property of internal and perimeter networks. You may add desired routing rules in the network rules.
DNS Configuration for Perimeter Network:
To allow LDAP authentication in perimeter network, right click on firewall policy>Click new>Click Access policy.
Type name of the policy>Click next>Click Allow>Click next
On the selected protocol, Add DNS, Kerberos-Admin (TCP), Kerberos-Admin (UDP), LDAP, LDAP(UDP), LDAP (GC), Kerberos-Sec (TCP), Kerberos-Sec (UDP), Microsoft CIFS (TCP), Microsoft CIFS (UDP), NTP, PING, RPC (All Interface). On the source, specify particular web server (or server) and on the destination specify AD DNS server. For this article, I am adding perimeter and internal network as a whole . However, in production environment I would not recommend to do so. For security season, by default everything is blocked in TMG server. you have to add protocols and rules one by one. Create specific rule for specific purpose.
Apply changes>Click ok. Right Click on the rule>Click property>verify all protocols, source and destination.
To publish any web server in the perimeter, follow the link provided in the relevant articles. To publish secure web sites, import web server certificates in TMG server and web server and follow the web publishing rule.
Relevant Articles:
Install and configure Forefront TMG step by step
Forefront Threat Management Gateway (TMG) 2010
Configure back to back perimeter step by step
Blog by Raihan Al-Beruni 
Pingback: How to configure Forefront TMG 2010 as WPAD server (Auto Proxy Discovery)—Step by Step | MicrosoftGURU
i’ve published an internal webserver so that it can be reached from external. However, from my perimeter (all public ips) i can’t reach that webserver using its external domain name. Any ideas?
LikeLike
Right click on the rule you published>property and check orginating and destination sources. Is perimeter available on orginating list? Log on to domain management tool that is provided by ISP. Please check correct IP and FQDN added.
Step1. Add proper cname and public ip through ISP or own tools
step2. proper rules in router if in place might be blocking anything
step3. publish rule in TMG
Please let me know how you go.
LikeLike
how to configure TMG as gateway of web server in single nic
LikeLike
Explain a bit. Do you want to configure single NIC TMG?
LikeLike
Dear Mr. Raihan
I have setup a similar environment ie. 3-leg perimeter setup. Unfortunately, even after following the same steps above, my internal servers are not able to reach the internet. I am getting the following error:
Technical Information (for support personnel)
Error Code 11002: Host not found
Background: This error indicates that the gateway could not find an authoritative DNS server for the website you are trying to access.
Date: 6/4/2011 9:16:57 AM [GMT]
Server: xxxxTMG.xxx.xx
Source: DNS problem
The internet seems to work fine on the TMG server.
Any suggestions would be appreciated.
LikeLike
Hello Mir,
Please configure AD and DNS connectivity verifier in TMG. Please make make sure all Servers are domain member. Please configure appropriate policy in TMG to allow traffic to and form internal and internal.
Here are policy and basic config guide http://microsoftguru.com.au/2010/03/08/forefront-tmg-2010-how-to-install-and-configure-forefront-tmg-2010-step-by-step/
Regards, Raihan
LikeLike
Assalam o Alaikum Raihan;
I want to protect my servers from direct access either from internal network or External network. For this i want to design DMZ so that i can place all of servers onto DMZ using one TMG machine.
i put three NICs into TMG machine.
1. Internal 172.18.0.0/23
2. External (Public IP)
3. Perimeter 192.168.0.0/24 (Where i want to put all of my servers e.g. DC,ADC,SQL, Webserver, Antivirus server etc.
Now i am testing TMG for this scenario.
I installed TMG Enterprise and configured it as 3-leg and chose Private IPs in DMZ during installation. All network rules are published automatically and i made the firewall rules to all outbound from internal to external, internal to perimeter and perimeter to internal and external.
Placed one system in DMZ and given it 192.168.0.2 address, TMG perimeter NIC has 192.168.0.30
Now DMZ to Local Host and Internal to Local host all kind of communication is working fine but Internal to DMZ and DMZ to internal is not happening.
When i ping from either internal or perimeter is gives “Destination host not found”
Can this communication happen without giving Dual IPs to Client machines and how.
Your reply would be great help.
Regards;
Adnan Alam,
Express News Pakistan.
LikeLike
You need to create new rules for ping protocol. By default TMG block everything unless you define in rules. This is the best practice of any kind of firewall.
Thanks for visiting my site and never greet people with “Assalam o Alaikum” you dont know personally instead say “hello or Dear”
LikeLike
Hello Raihan;
Did what you advised. Actually i configured my servers as it is as you mentioned in your guide here. created all rules you created like dns, ping, kerbaros etc. but no luck. actually my concept is not getting clear that how a 172.18.x.x client will be able to ping 192.168.x.x computers. It instantly replies for “Destination host unreachable”, how would it take out the ping request out of the interface? It is understandable for public IPs that it would use its artificial intelligence to judge that its a public ip and it would need to NAT it.
Please help even if you think these foolish questions.
Regards;
Adnan Alam,
Pakistan
LikeLike
Hello Adnan,
You need to add proper routing rules in TMG. Such as 172.18.x.x route to 192.168.x.x
Click Networking>Network rule>Create new rule> Add IP ranges
Create a ping rule in firewall
That should solve the problem
Raihan
LikeLike
Dear Adnan,
ru talking about remote client (internet client), communication b/w perimeter and remote client is not working.
LikeLike
We have created 3-Legs Perimeter, from internal everything fine, but our probelm is from perimeter to inernal which is not accessible.
LikeLike
Create Network rule.
TMG Console>Networking>Network Rule>Create new rule for perimeter to internal network.
LikeLike
I have created rule as per your instructions, but getting the below message
Closed Connection “Server Name” 6/25/2011 2:59:57 PM
Log type: Firewall service
Status: A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake.
Rule: Perimeter to Internal
Source: Perimeter (172.16.2.2:1065)
Destination: Local Host (192.168.1.23:8080)
Protocol: HTTP Proxy
LikeLike
Did you added all the firewall policy you need? Did you added internal and DMZ networks in TMG?
What sort of connection is declined by TMG? please let me know
LikeLike
I have created rule as per your instructions, but getting the below message
Closed Connection “Server Name” 6/25/2011 2:59:57 PM
Log type: Firewall service
Status: A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake.
Rule: Perimeter to Internal
Source: Perimeter (172.16.2.2:1065)
Destination: Local Host (192.168.1.23:8080)
Protocol: HTTP Proxy
LikeLike
Hello Raihan
Very nice article thanks for posting this..
LikeLike
Hi,
I need your help to implement a structure that works with a firewall / router + ISA Server 2006 mode 3 leg perimeter. Do you have any step by step tutorial?
Thank you.
LikeLike
Can you please describe a bit more
LikeLike
Hi, I have one topology of TMG with two EMS and Tw0 TMG Standard with NLB in the external, perimeter and internal. What area the best practice to routing and networking rules for this topology.
Thanks.
LikeLike
please use BPA http://www.microsoft.com/download/en/details.aspx?id=17730 and windows NLB ref http://technet.microsoft.com/en-us/library/cc740265(WS.10).aspx
LikeLike
Good post however I saw tmg configs where only DNS is needed on the internal NIC as MS recommends. This is also how i set this up for my my clients. Just wondering in what case(s) would you put DNS entries on all 3 nics?
Thanks
LikeLike
Good questions it depends on situation you are in. I cannot provide perfect/appropriate answer on this because I dont know the design.
LikeLike
great- thanks
LikeLike
hi,
i already have TMG Server in placed. i want to configure running TMG server with DMZ. i have created DMZ Network with seperate range. do i need to configure Netowrk Rule before creating Firewall Rule ? if yes then Route or Nat relationship and with what networks ?
LikeLike
Pingback: How did this blog perform in the year of 2011 | Blog by Raihan Al-Beruni
Hi
I have created Exchange test environment in my lab which is below scenario
Internal – 192.168.0.1 t0 192.168.0.100
Servers : 3 Exchange servers and 1 DC
TMG2010 Server – Configure 3 network Adapters with below networks
1 -Internal 192.168.0.2
1 -Perimeter 192.168.2.1
1-External 10.156.2.80
EDGE Transport Server – Configured in Perimeter Network
1- Perimeter 192.168.2.3
The issue is I cant able to communicate Edge server to My internal network ,I follow you step and configured necessary firewall rules and network rule s but still getting ”
“Destination host is not reachable error”
I tried all the ways and search google I couldn’t found any solutions ,Appreciate i could provide Idea on this .
LikeLike
How many nics you have in Edge server? If single then default gateway of edge server is 192.168.2.1 please check all subnet mask and relationship inbetween internal-perimeter internal-public.
everything is blocked in TMG by default. allow ping and try again. publish rules whatever is required to fullfil your need. update me once you checked all these.
LikeLike
Hi
Thanks for update
i have chked the Edge Server is configured with singale adapter with the ipaddress 192.168.2.1 and Dns 192.168.0.2 (internal)
Netwrok Rules :
Configure Route internal to perimeter
COnfigure NAT Perimeter to External
Firewall rules :
Configure All protocols from Perimeter to Internall netwroks
But still i cant able to communicate ,
LikeLike
you dont have to confiure all protocol from perimeter to internal.
Create required rules to and from perimeter and internal vise-versa and test. You may allowed traffic oneway and trying to use otherway.
LikeLike
In this 3-leg configuration do you recommend that the TMG Server should be joined to the Domain ?
Because actually i have 2 isa 2006 servers (frontend isa (workgroup) and backend isa (domain member)) and because of the numbers of licenses from microsoft i now have to have only 1 firewall server (tmg 2010).
in my DMZ i only have one ftp server and one web server everything else (smtp – ad ) is in my internal.
what do you recommend.
Please give me your feedback.
Best Regards
LikeLike
I have doubt about this 3-leg configuration, should i have the tmg server joined to the domain ?
I actually have two isa 2006 servers (isa frontend (workgroup) isa backend (domain)),
but i have to change to only 1 TMG server because of license issues and i´m thinking of using this 3-leg configuration.
On my DMZ i only have 1 ftp server and 1 web server.
Could you please tell me what do you recommend.
Please give me feedback on my questions
Best Regards
LG
LikeLike
Hello LG, when you have option than why not use the functionality. this is the beauty of TMG. please read the article for more info http://technet.microsoft.com/en-us/library/dd897048.aspx
if you would like TMG to perform as a proxy for internal clients you have to join domain or configure radius authentication for authentication purpose. otherwise workgroup is ok
LikeLike
Good Morning,
I’ve got a simple lab vmware setup. so far a Internal network (has DC with DNS), Perimeter (has one FTP Server) and the External internetwork NIC.
DC /w DNS has
IP 10.1.1.1
GW 10.1.1.2 (internal NIC of TMG)
DNS 10.1.1.1
DNS Fowarder to 8.8.8.8
FTP Server has
IP 20.1.1.1
GW 20.1.1.2 (perimeter NIC of TMG)
no 10.1.1.1
TMG External Internet NIC has
IP – 192.168.0.1 (modem)
GW – 192.168.0.1 (modem)
DNS – 192.168.0.1 (modem)
TMG Internal NIC has
IP – 10.1.1.2
GW – no GW
DNS – 10.1.1.1
TMG Perimeter NIC has
IP – 20.1.1.2
GW – no GW
DNS – no DNS
– I’m not able to ping google.com from my DNS unless I have ICS enabled on my TMG external NIC but I can ICS bind only to one Internal or Perimeter NIC.
Is there any additional setting i’ve missed out like enabling Routing / etc on the TMG.
And If i enable ICS the TMG installation doesn’t complete or I can configure a 3-leg topology. If i disable and install TMG, ICS can’t be enabled it later and will not let my perimeter network to communicate to external sites.
LikeLike
you dont need enable ICS on TMG server. You need allow HTTP/HTTPS traffic to and from your desired destination. make sure you create firewall rules. web access rules etc.
Create Topology in TMG that means Use TMG MMC>TMG Server Name>Start Up wizard>Create 2-leg perimeter.
There is no need add DNS and Default gateway on the internal and perimeter NIC. TMG>Monitor>add connectivity verifier like AD, DNS and Web.
COnfigure Proxy. TMG>networking>Internal Network>Property>Web Proxy
COnfigure IE of DNS server to use Proxy and than browse. Make sure you can browse internet from TMG server.
LikeLike