Getting Started with Forefront Threat Management Gateway 2010, Part 4: Sample Deployment Scenarios

Sample Deployment Scenarios

Even though basic network configuration has been described on the previous part, it is still tricky and incorrectly configuration could occurs. Therefore, this part will show example basic network configurations which help you better understanding about network configuration for implementing Forefront TMG 2010.

Note: Remember that the Forefront TMG Firewall will resolve names for Web Proxy and Firewall clients. It will not resolve names for SecureNAT clients, so make sure you configure your SecureNAT clients with a DNS server that can resolve both internal and external hosts names. It can be the same DNS server that the Forefront TMG Firewall is using, if you want.

Simple Network #1

Let’s see first example. A small company wants to implement Forefront TMG 2010 as firewall. Forefront TMG server will be installed as Edge firewall. The network configuration is as following:

Firewall

    Internal Interface

  • IP Address: 192.168.1.10/24
    External Interface

  • IP Address: 192.168.0.10/24
  • Gateway: 192.168.0.1
  • DNS: 8.8.8.8

Clients

  • IP Address: 192.168.1.1-192.168.1.254/24
  • Gateway: 192.168.1.10
  • DNS: 8.8.8.8

In this scenario, there is no internal active directory/DNS server so we have to use external DNS servers instead. The “8.8.8.8” is an IP address of Google’s DNS which should be changed to your ISP’s DNS. Clients is implemented as SecureNAT client type, therefore, so it is required to configured DNS on clients also. The summarize network diagram is as follow:
Sample Deployment Scenario - Simple Network #1

This is one very specific deployment role in which it is perfectly acceptable to configure DNS servers on the External interface, and that is when the TMG firewall is configured as a bastion host. In this very specific role the TMG firewall is not a domain member and does not communicate with internal network resources. This is the only scenario where specifying your ISPs DNS servers on the External interface is recommended.

Simple Network #2

On the second example, a company already has active directory/DNS, and other infrastructure services. The company is implementing Forefront TMG 2010 as Edge firewall. The network configuration is as following:

Firewall

    Internal Interface

  • IP Address: 192.168.1.10/24
  • DNS: 192.168.1.2
    External Interface

  • IP Address: 192.168.0.10/24
  • Gateway: 192.168.0.1

Clients

  • IP Address: 192.168.1.1-192.168.1.254/24
  • Gateway: 192.168.1.10
  • DNS: 192.168.1.2

This scenario, there is an internal DNS server. DNS requests should be sent to it first, therefore, DNS configuration on internal interface of the firewall is the internal DNS. And you have to configure the internal DNS server to ensure that all other requests are forwarded to your ISPs DNS servers.

Sample Deployment Scenario - Simple Network #2

Series Navigation<< Getting Started with Forefront Threat Management Gateway 2010, Part 3: Prepare Your ServerGetting Started with Forefront Threat Management Gateway 2010, Part 5: Installation >>