Home > Exchange 2003, Forefront TMG 2010, Windows 2008 (R2) > Install & Configure Forefront TMG Back to Back solution Part 1

Install & Configure Forefront TMG Back to Back solution Part 1


This week we installed and configured an Forefront TMG back to back solution in our school. In this article I am explaining on how to implement this in your company. It will be a 2 part article. In the first one I will explain the network setup, network relationships, the TMG backend and TMG Frontend installations and some simple firewall rules. In the second part we will be configuring OWA for exchange 2003, web publishing rules, and incoming and outgoing SMTP mail. For this article we are going to use the following network setup:

This is a simple setup that is used in many companies and universities. The Backend TMG firewall (TMG-BE) will be installed and joined to the domain (test.local) and the Frontend TMG firewall (TMG-FE) will be installed and joined to a workgroup (WORKGROUP). Our company website is hosted on the webserver and will be available for the ouside world. The Barracuda Appliance will listen to incoming SMTP mail and will be used for Spam filtering and virus checking. After this check the mail will be forwarded to the Exchange 2003 Back-End. Outlook Web Access (OWA) will be made available as well.

TMG network relationships

An important issue to understand is how network relationships work in an Back to Back solution. Dr. Thomas W. Shinder made some great articles about this and i highly recommend reading them. They can be found here. For our network setup we use the following network relationships:

As you can see we will use an ROUTE relation ship between the internal network and the DMZ network (configured on the TMG-BE). And we will use an NAT relationship between the DMZ and External segment (configured on the TMG-FE). Its also important to understand that there is a NAT relationship between the internal network and the external network (configured on the TMG-BE). For ROUTE relationships you need to use access rules (from inside to outside and from oputside to inside). For NAT relationships you need to use access rules (from inside to outside) and publishing rules (from outside to inside). As said normally…… Its not widely known that you can use publising rules on a route relationship as well. We are going to use one when we are going to configure OWA.

Its also important to understand whats internal and external regarding to the TMG firewalls. For the TMG-BE it looks like this:

The TMG-BE will see VLAN1, VLAN2, VLAN3, VLAN4, VLAN5 as the INTERNAL network. it will see VLAN6 as the PERIMETER network and VLAN7 as the EXTERNAL network. For the TMG-FE it will look like this:

The TMG-FE will see VLAN1, VLAN2, VLAN3, VLAN4, VLAN5 and VLAN6 as the INTERNAL network and VLAN7 as the EXTERNAL network. For our article we will use the following ip adressing scheme:

Installing the TMG-BE

 Before you install TMG 2010 on your machine make sure that:

  • You renamed you internal NIC to something like Internal and you external NIC to something like DMZ.
  • You entered all appropriate information in all NICs (according to the ip addressing scheme)
  • You joined the TMG-BE to the domain
  • Increase performance by changing the value at HKEY_LOCAL_MACHINE\System\CurrentControlSet\NetBT\Parameters. Change NodeType to value 2 (REG_DWORD)
  • Update system with latest service packs and updates

Ok. lets start the TMG 2010 Back-End installation:

  • Start the TMG 2010 installation and choose to run the Preparation Tool
  • Select Forefront TMG services and Management en wait untill everything is complete
  • The Forefront TMG installation will start
  • Enter your username, company name and serial number
  • Enter the installation path to your liking
  • Now we need to enter the internal network for the TMG-BE. Remember we spoke of this before. We need to enter all subnet ips from VLAN1, VLAN2, VLAN3, VLAN4, VLAN5.

  • Start TMG-KB981324-AMD64-ENU.MSP to install  TMG 2010 Service Pack 1.
  • Start TMG-KB2288910-AMD64-ENU.exe to install Update 1 for Service Pack 1.
  • Start the TMG MMC and select Configure network settings
  • Select BACK FIREWALL and the INTERNAL adapter as Local Area Network
  • In the same window we need to add some static routes. The internal interface of the TMG-BE does not have a default gateway configured. We need to tell the TMG-BE how to reach VLAN1, VLAN2, VLAN3 and VLAN4. The gateway configured on the core switch will be 10.5.0.1. Lets add 4 static routes:

  • Select the DMZ interface as the PERIMETER network adapter and choose a private (ROUTE) relationship
  • Select configure system settings and leave everything as default
  • Select define deployment options and enter licenses if applicable
  • Close the getting started wizard

Installing TMG-FE

Before you install TMG 2010 on your machine make sure that:

  • You renamed you internal NIC to something like DMZ and you external NIC to something like INTERNET.
  • You entered all appropriate information in all NICs (according to the ip addressing scheme)
  • You joined the TMG-FE to a workgroup
  • Increase performance by changing the value at HKEY_LOCAL_MACHINE\System\CurrentControlSet\NetBT\Parameters. Change NodeType to value 2 (REG_DWORD)
  • Update system with latest service packs and updates

Ok. lets start the TMG 2010 Front-End installation:

  • Start the TMG 2010 installation and choose to run the Preparation Tool
  • Select Forefront TMG services and Management en wait untill everything is complete
  • The Forefront TMG installation will start
  • Enter your username, company name and serial number
  • Enter the installation path to your liking
  • Now we need to enter the internal network for the TMG-FE. We need to enter all subnet ips from VLAN1, VLAN2, VLAN3, VLAN4, VLAN5 and VLAN6.

  • Start TMG-KB981324-AMD64-ENU.MSP to install  TMG 2010 Service Pack 1.
  • Start TMG-KB2288910-AMD64-ENU.exe to install Update 1 for Service Pack 1.
  • Start the TMG MMC and select Configure network settings
  • Select EDGE FIREWALL and the DMZ adapter as Local Area Network
  • In the same window we need to add some static routes. The internal interface of the TMG-FE does not have a default gateway configured. We need to tell the TMG-FE how to reach VLAN1, VLAN2, VLAN3, VLAN4 and VLAN5. The gateway configured for the routes will be the external interface of the TMG-BE (10.6.0.1) Lets add 5 static routes:

  • Choose the INTERNET networkadapter for the ISP connection
  • Select configure system settings and leave everything as default
  • Select define deployment options and enter licenses if applicable
  • Close the getting started wizard

Configuring the TMG-BE

  • Start the TMG MMC and goto Forefront TMG (TMG-BE) – Networking – Networks tab
  • Richtmouseclick on the internal networks and choose properties – choose the domains tab
  • In the domain names box add: *.test.local
  • Choose the webbrowser tab and change the following:
  • Enable Bypass proxy for webservers in this network
  • Enable directly access computers specified in the domains tab
  • Enable directly access computers specified in the addresses tab
  • Choose the Autodiscovery tab and enable publish automatic discovery
  • Configure your DNS and DHCP server for WPAD – read here
  • Lets create some firewall rules to allow DNS, HTTP, HTTPS and FTP traffic.
  • Goto Forefront TMG (TMG-BE) – Firewall Policy – Create access rule

Create the following rules:

  • Rule Name : Allow DNS traffic from DC1
  • Rule Number : 1
  • Protocols : DNS
  • From : DC1
  • To : External
  • User Sets : All users
  • Rule Name : Allow HTTP, HTTPS, FTP traffic
  • Rule number : 2
  • Protocols : HTTP, HTTPS, FTP
  • From : Internal Network
  • To : External Network
  • User Sets : All authenticated users

Configuring the TMG-FE

  • Start the TMG MMC and goto Forefront TMG (TMG-FE) – Intrusion Prevention System – Behavorial Intrusion Detection tab – choose configure Flood Mitigation settings – IP exceptions tab
  • Since there is a NAT relationship between the internal network and external network on the TMG-BE the source ip will be changed to the TMG-BE external interface. So when the packet arrives at the TMG-FE internal interface it will see alot of traffic coming from one ip address. Therefore we must add the external interface from the TMG-BE to the ip exceptions tab or else the TMG-FE will drop traffic.
  • Goto Forefront TMG (TMG-FE) – Firewall Policy – Create access rule

Create the following rule:

  • Rule Name : Allow all traffic from TMG-BE
  • Rule number : 1
  • Protocols : All protocols
  • From : TMG-BE (external interface ip) 
  • To : External Network
  • User Sets : All users

Now you can test your created rules by starting a webbrowser session from the DC1. In part 2 of this article we are going to configure OWA for exchange 2003, web publishing rules, and incoming and outgoing SMTP mail. Feel free to comment on this article.

About these ads
  1. November 8, 2010 at 5:26 pm

    Great series!
    Thanks!
    Tom

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: