Home > Exchange 2010, Forefront TMG 2010, Windows 2008 (R2) > Install & Configure Forefront TMG Back to Back solution with Exchange 2010 Part 1

Install & Configure Forefront TMG Back to Back solution with Exchange 2010 Part 1


Last year I wrote a 2 part article on how to install and configure an Forefront TMG back to back solution with OWA 2003. A few weeks ago we migrated to Exchange 2010 so I thought to write this up again. In these articles I am explaining on how to implement this in your company. It will be a 3 part article. In the first one I will explain the network setup, network relationships, the TMG backend and TMG Frontend installations and some simple firewall rules. In the second part we will be configuring OWA for exchange 2010, web publishing rules, and incoming and outgoing SMTP mail. The 3rd article will explain how to setup Exchange Activesync and Exchange Outlook Anywhere. For this article we are going to use the following network setup:

This is a simple setup that is used in many companies and universities. The Backend TMG firewall (TMG-BE) will be installed and joined to the domain (test.local) and the Frontend TMG firewall (TMG-FE) will be installed and joined to a workgroup (WORKGROUP). Our company website is hosted on the webserver and will be available for the ouside world. The Barracuda Appliance will listen to incoming SMTP mail and will be used for Spam filtering and virus checking. After this check the mail will be forwarded to the Exchange 2010 Server. Outlook Web Access (OWA), Activesync and Outlook Anywhere will be made available as well.

TMG network relationships

An important issue to understand is how network relationships work in an Back to Back solution. Dr. Thomas W. Shinder made some great articles about this and i highly recommend reading them. They can be found here. For our network setup we use the following network relationships:

As you can see we will use an ROUTE relation ship between the internal network and the DMZ network (configured on the TMG-BE). And we will use an NAT relationship between the DMZ and External segment (configured on the TMG-FE). Its also important to understand that there is a NAT relationship between the internal network and the external network (configured on the TMG-BE). For ROUTE relationships you need to use access rules (from inside to outside and from oputside to inside). For NAT relationships you need to use access rules (from inside to outside) and publishing rules (from outside to inside). As said normally…… Its not widely known that you can use publising rules on a route relationship as well. We are going to use one when we are going to configure OWA.

Its also important to understand whats internal and external regarding to the TMG firewalls. For the TMG-BE it looks like this:

The TMG-BE will see VLAN1, VLAN2, VLAN3, VLAN4, VLAN5 as the INTERNAL network. it will see VLAN6 as the PERIMETER network and VLAN7 as the EXTERNAL network. For the TMG-FE it will look like this:

The TMG-FE will see VLAN1, VLAN2, VLAN3, VLAN4, VLAN5 and VLAN6 as the INTERNAL network and VLAN7 as the EXTERNAL network. For our article we will use the following ip adressing scheme:

Installing the TMG-BE

 Before you install TMG 2010 on your machine make sure that:

  • You renamed you internal NIC to something like Internal and you external NIC to something like DMZ.
  • You entered all appropriate information in all NICs (according to the ip addressing scheme)
  • You joined the TMG-BE to the domain
  • Increase performance by changing the value at HKEY_LOCAL_MACHINE\System\CurrentControlSet\NetBT\Parameters. Change NodeType to value 2 (REG_DWORD)
  • Update system with latest service packs and updates

Ok. lets start the TMG 2010 Back-End installation:

  • Start the TMG 2010 installation and choose to run the Preparation Tool
  • Select Forefront TMG services and Management en wait untill everything is complete
  • The Forefront TMG installation will start
  • Enter your username, company name and serial number
  • Enter the installation path to your liking
  • Now we need to enter the internal network for the TMG-BE. Remember we spoke of this before. We need to enter all subnet ips from VLAN1, VLAN2, VLAN3, VLAN4, VLAN5.

  • Start TMG-KB981324-AMD64-ENU.MSP to install  TMG 2010 Service Pack 1.
  • Start TMG-KB2288910-AMD64-ENU.exe to install Update 1 for Service Pack 1.
  • Start the TMG MMC and select Configure network settings
  • Select BACK FIREWALL and the INTERNAL adapter as Local Area Network
  • In the same window we need to add some static routes. The internal interface of the TMG-BE does not have a default gateway configured. We need to tell the TMG-BE how to reach VLAN1, VLAN2, VLAN3 and VLAN4. The gateway configured on the core switch will be 10.5.0.1. Lets add 4 static routes:

  • Select the DMZ interface as the PERIMETER network adapter and choose a private (ROUTE) relationship
  • Select configure system settings and leave everything as default
  • Select define deployment options and enter licenses if applicable
  • Close the getting started wizard

Installing TMG-FE

Before you install TMG 2010 on your machine make sure that:

  • You renamed you internal NIC to something like DMZ and you external NIC to something like INTERNET.
  • You entered all appropriate information in all NICs (according to the ip addressing scheme)
  • You joined the TMG-FE to a workgroup
  • Increase performance by changing the value at HKEY_LOCAL_MACHINE\System\CurrentControlSet\NetBT\Parameters. Change NodeType to value 2 (REG_DWORD)
  • Update system with latest service packs and updates

Ok. lets start the TMG 2010 Front-End installation:

  • Start the TMG 2010 installation and choose to run the Preparation Tool
  • Select Forefront TMG services and Management en wait untill everything is complete
  • The Forefront TMG installation will start
  • Enter your username, company name and serial number
  • Enter the installation path to your liking
  • Now we need to enter the internal network for the TMG-FE. We need to enter all subnet ips from VLAN1, VLAN2, VLAN3, VLAN4, VLAN5 and VLAN6.

  • Start TMG-KB981324-AMD64-ENU.MSP to install  TMG 2010 Service Pack 1.
  • Start TMG-KB2288910-AMD64-ENU.exe to install Update 1 for Service Pack 1.
  • Start the TMG MMC and select Configure network settings
  • Select EDGE FIREWALL and the DMZ adapter as Local Area Network
  • In the same window we need to add some static routes. The internal interface of the TMG-FE does not have a default gateway configured. We need to tell the TMG-FE how to reach VLAN1, VLAN2, VLAN3, VLAN4 and VLAN5. The gateway configured for the routes will be the external interface of the TMG-BE (10.6.0.1) Lets add 5 static routes:

  • Choose the INTERNET networkadapter for the ISP connection
  • Select configure system settings and leave everything as default
  • Select define deployment options and enter licenses if applicable
  • Close the getting started wizard

Configuring the TMG-BE

  • Start the TMG MMC and goto Forefront TMG (TMG-BE) – Networking – Networks tab
  • Richtmouseclick on the internal networks and choose properties – choose the domains tab
  • In the domain names box add: *.test.local
  • Choose the webbrowser tab and change the following:
  • Enable Bypass proxy for webservers in this network
  • Enable directly access computers specified in the domains tab
  • Enable directly access computers specified in the addresses tab
  • Choose the Autodiscovery tab and enable publish automatic discovery
  • Configure your DNS and DHCP server for WPAD – read here
  • Lets create some firewall rules to allow DNS, HTTP, HTTPS and FTP traffic.
  • Goto Forefront TMG (TMG-BE) – Firewall Policy – Create access rule

Create the following rules:

  • Rule Name : Allow DNS traffic from DC1
  • Rule Number : 1
  • Protocols : DNS
  • From : DC1
  • To : External
  • User Sets : All users
  • Rule Name : Allow HTTP, HTTPS, FTP traffic
  • Rule number : 2
  • Protocols : HTTP, HTTPS, FTP
  • From : Internal Network
  • To : External Network
  • User Sets : All authenticated users

Configuring the TMG-FE

  • Start the TMG MMC and goto Forefront TMG (TMG-FE) – Intrusion Prevention System – Behavorial Intrusion Detection tab – choose configure Flood Mitigation settings – IP exceptions tab
  • Since there is a NAT relationship between the internal network and external network on the TMG-BE the source ip will be changed to the TMG-BE external interface. So when the packet arrives at the TMG-FE internal interface it will see alot of traffic coming from one ip address. Therefore we must add the external interface from the TMG-BE to the ip exceptions tab or else the TMG-FE will drop traffic.
  • Goto Forefront TMG (TMG-FE) – Firewall Policy – Create access rule

Create the following rule:

  • Rule Name : Allow all traffic from TMG-BE
  • Rule number : 1
  • Protocols : All protocols
  • From : TMG-BE (external interface ip) 
  • To : External Network
  • User Sets : All users

Now you can test your created rules by starting a webbrowser session from the DC1. In part 2 of this article we are going to configure OWA for exchange 2010, web publishing rules, and incoming and outgoing SMTP mail. Feel free to comment on this article.

About these ads
  1. Alex
    April 27, 2011 at 5:59 pm

    Hi Richard,

    I fallowed your tutorial, but having some issues that I can’t resolve:

    1. On Internal Nic in TMG-FE I am getting “Unidentified network”.
    2. DNS is not working. I can open websites from internal network by IP, but not by names.

    Thank you!

    • April 28, 2011 at 8:36 am

      1. You do not need to worry about that one. same here. Its pops up because it can not find a domain or internet connection on that particular nic.
      2. You have checked that you have create a rule on your backend FW that allows DNS traffic from the dns server to external ? secondly check the log and see why its failing (logs & reports – logging tab)

  2. Alex
    April 29, 2011 at 6:26 pm

    1. The DNS rule on BFW is created.
    2. There is no incoming traffic from DC in Logs and Reports. Only from BFW Internal Nic to DC.

    I can not ping external IPs from DC and member servers. I can ping external IPs from FFW and BFF. I also can not ping any FFW and BFW interfaces from internal network, but this may be a normal.

    The problem with DNS my be a forwarders. Since DNS server can not resolve forwarders IPs to FQDN.

    I feel something is wrong with routing.

  3. Alex
    May 11, 2011 at 8:45 pm

    The problem was is that i forgot to setup default IP route on the switch to point to 10.5.0.10

    • May 12, 2011 at 9:06 am

      Glad to hear you resolved it Alex. THX for the feedback.

  4. Martin
    September 16, 2011 at 9:02 pm

    Why are you running network relation between internal and external as NAT… that would perform double NAT as the FE TMG has a network relationship between perimeter and external.

    • October 13, 2011 at 11:09 am

      No its a single NAT.. the BE TMG has a route relationship between internal and DMZ. The FE TMG has a NAT relationship between internal and external. The internal network of the BE TMG and the FE TMG external network do have a single NAT relationship.

  5. CITITECHS
    November 25, 2011 at 10:17 am

    Hey Richard,

    I got to say I’ve been looking for this article for years. You did such a great job of breaking down what a Back to Back is. Even if the frontend isn’t TMG I know how to configure an ASA or an IPtables firewall just from this blog post.

    I did have a few questions in regards to VPN

    In regards to Site to Site such as an ipsec tunnel when you have a configuration that is running a FE BE configuration what would the configuration look like ?

    Similar to how you published the webserver ? Where on the front end you just open the ports for IPsec UDP500 ? and then on the backend is where you configure the site to site ? Or do you terminate it on the front end and create routes to the backend ? If you already have this configuration I’d love to see Screenshots or a breakdown of the configuration.

    I did read into SSTP and I believe that one is simple that gets configured on the BE TMG where the weblistener is at & just open 443 on the FE. Correct me if am wrong.

    Then my last question is OpenVPN in tun configuration . Not even sure where I would begin with that one. Am guessing it would seat in the perimeter with a persistent route to the internal ? Then in theory sites to sites can connect to it or external vpn users can connect in. I guess the routing would be the confusing part here for me. How do the connected users see everything behind the LAN when they are seating in the Perimeter is it because of the route? Then on the Openvpn configuration I push my internal subnet to them ? Again just guessing

    When any over the above come over VPN would they be able to hit internal resources as well as perimeter resources ? Another guess would be that we treat those users as Internal like you demonstrated above on the FE.

    • November 25, 2011 at 1:22 pm

      Thanks for the feedback ! It’s nice to hear that these articles is usefull for someone else. I must say that i’m a beginner on VPN related configurations but I think i can point you in the right direction.

      For a Site to Site IPsec tunnel you open up two ports on the FE server. Port 500 UDP and port 4500 UDP. So terminate it on the BE Server.
      Find some excellent info here.

      Regarding SSTP: You are on the right track here. Terminate it on the BE Server as well on open up port 443 on the FE Server.
      Find extra info here.

      Regarding OpenVPN : I found an article here that might be usefull for you. I agree that the routing would be an issue and not very safe regarding to security ?

      So perhaps option 1 or 2 would be a good solution instead of openVPN. Then you could create a separate DHCP scope for the VPN clients. Place this scope on the internal networks tab. Now you can use it and create firewall rules as any normal internal network so it can reach DMZ related resources as well. Hope it helps somehow and maybe in the future I have a powerfull machine enough to create a lab to play around with 3 TMG and some client to test these things.

  6. mikedesk
    March 21, 2012 at 7:47 pm

    Hi Richard,

    Currently I have one TMG server set up in a 3-leg perimeter with 4 NIC cards.

    In the Perimeter I have 2 networks as follows:
    DMZ-1 I have published a Barracuda SMTP server
    DMZ-2 a private data line to an outsource service

    I would like to setup a Back-to-Back TMG firewall system by placing a new TMG server as the Front-End and making the current TMG a Back-End server. The BE-TMG is a domain member and FE-TMG will be in a workgroup.

    The problem or doubt that I have is where to place the perimeter. The questions that I have are:

    – Could I make the current server a BE-TMG and leave the perimeter networks as they are (2 NICs in that machine)?
    – Or would I have to remove the perimeter (2 NICs) from the current TMG server and place them on the new FE-TMG?

    Also there are hardware differences between these 2 servers, so I’m not sure if the roles of BE and FE respectively are appropriate.

    The current TMG server is:
    Xeon 4C 2.40GHz
    8GB RAM
    RAID 10 – System
    RAID 1 – Logs
    RAID 1 – Web Cache

    The new server is:
    Xeon 4C 2.8GHz
    4GB RAM
    RAID 10 – System

    Please let me know your opinions on how to proceed with this project.

    Thanks,

    Mike

    • March 28, 2012 at 8:31 am

      Yes You are on the right track…The current server could be the new TMG-BE. It has more memory thus it could serve those domain client connections very well. Personally I would give the TMG-BE 2 nics and the TMG-FE 3 nics. There is no need to give the Barracuda a separate DMZ Nic. But I guess its up to your company security policy. The TMG-FE has 4 gigs of memory… it could be needing more but monitor it and you could add more in the future.

  7. Spud
    May 9, 2012 at 12:51 pm

    Hi, this is a great article… I am designing something similar to this… what is the DG VLAN about? (Why does the TMG box need to be on a separate arm of the router is the question I guess?)

    • May 9, 2012 at 3:59 pm

      No its not needed at all. It depends on your network design. Its also possible to create a trunk port on the TMG box that holds all 3 vlan’s.

  8. September 18, 2012 at 9:17 pm

    Hi, i have a question. I need to use exchange edge 2010 with TMG in the DMZ. i am working on a lab so i am using Hyper-v manager as role in windows server 2008 r2. i have read the setup above but one thing missing is the exchange edge setup which i am using in my topology. My question is: what is the additional setup needed if i am to set exchange server edge 2010 with TMG?
    Regards

    • September 20, 2012 at 3:12 pm

      This will get you going if you want to install the edge role on a TMG.

  9. H Limbada
    November 7, 2012 at 3:03 am

    Hi Richard,

    Hope you are well. Thanks for this great article, I now have a working setup. Just a quick question, I don’t have a fancy switch, just a basic dell powerconnect, so created two internal LANs. 192.168.1.0/24 for clients and 192.168.2.0/24 for servers on the TMG-BE and used it’s Internal IP (192.168.2.5) as the gateway for both.

    How can I get them talking to one another? Do I just add another NIC for the second LAN? I’m not sure I’ve done the best thing, just wanted to separate clients and servers LAN, but still have access to file, mail etc.

    Any help or advice will be great.

    Regards

    H

    • November 9, 2012 at 10:10 am

      Hi H.

      It depends on how you want to route the traffic between those two subnets. Do you want to route the traffic with your switch or do you want to route traffic with the TMG server. With the switch you need to create 3 VLAN’s and enable routing between them. If you want to use the TMG you need 3 nics in your TMG server and create networks/rules between those 3 nics.

      regards
      richard

      • H Limbada
        November 19, 2012 at 8:17 pm

        Hi Richard,

        Thanks for your reply. I’m going to use the TMG-BE to route traffic. I’ve tried to google tutorials, but found nothing useful. I setup a new TMG-BE with three NIC, 1 as DMZ, 2 as Internal for (Servers) and 3 as Clients.

        In terms of routing, do I just add the Clients (NIC 3 network) to each of the five network rules under Networking on TMG-BE?

        Regards

        Hammad

      • November 26, 2012 at 9:53 am

        I would create 3 different networks. Add these 3 networks to a network set called All internal networks. Create network erlationships between them (if applicable). This way you are most flexible

  10. H Limbada
    February 15, 2013 at 12:54 pm

    Hi Richard

    Hope you’re well and had a great start to the new year. I always come back to your post when doing and redoing lab setups..

    I setup another lab and decided to use TMG-FE as an Edge Server for Exchange, but when I run the start edge syc command on exchange it gives me and LDAP error. I’ve allowed all outbound traffic on TMG-BE and that should normally work – (it has done when using edge in the perimeter) am I missing something on TMG-FE?

    • February 15, 2013 at 3:30 pm

      Ports need to be opened on the BE so the communication can actually takes place between the Edge Transport server and the HUB Transport server.
      – Port 25 / TCP (SMTP) in both directions
      – Port 50636 / TCP (EdgeSync service over SSL) from internal to DMZ

      Further I would use reports and log whats going on the FE. If needed you can open up ports on the FE.

  11. Oleg
    September 25, 2013 at 5:17 pm

    Hi Richard

    Using this solution for 2 years now! Works just perfect! The only thing I still not able to fix is high latency on BE server. So, my internet response is slow. If I am using testspeed.net from BE server PING – 205ms, when from FE – 5ms. When I ping testspeed.net from CMD, BE and FE have same response time – 5ms. Any advice?

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: