Getting Started with Forefront Threat Management Gateway 2010, Part 3: Prepare Your Server

Before we install Forefront TMG 2010 on the server, we should prepare our server to ensure that everything is configured properly first.

Prepare Your Server

• Set time zone and date/time correctly. This is a very simple task, but it is importance. Configure date/time incorrectly or inconsistency with other servers, or devices leads to difficulty when investigate problem from event log, or firewall logging. You should configure to synchronize date/time from the Internet or time service if you have one in your organization.
  
• Update Windows to patch any flaw that may lead to security breach.
• Configure Network Interface Cards (NICs). This is a little tricky part. See next section below for detail configuration.

Note: It is not recommended to install other infrastructure services, such as, DNS, DHCP, etc. on the Forefront TMG server. It may reduce the overall stability and performance of the server.

Configure Network Interface Cards (NICs)

Configure network interfaces aren’t difficult, however, if you have a misunderstanding about configuring these network interfaces, Forefront TMG server may not work as it should be, or performance could be reduced. For example, if you configure external DNS servers on any network interface of the Forefront TMG server, you may not be able to resolve internal host names because the Forefront TMG server might forward requests to those external DNS servers and the request will be discarded since they don’t know anything about your infrastructure.

External Interface

First, let’s see the external interface (normally an interface that connects to the Internet). The IP address and subnet mask must be configured as you planned. The default gateway must be configured also because this is where all traffic is forwarded to when the server can’t find the route to the destination IP address, usually, this is the router IP address. DNS on the external NIC isn’t require to be configured in most cases.

To summarize what you need to configure on the external NIC are:

• IP address
• Subnet mask
• Default Gateway

Internal Interface

Second, on the internal interface, the IP address and subnet mask must be configured as you planned. For default gateway, you can leave it blank because you already configured it on the external interface. For DNS servers, you should add your internal DNS servers so the Forefront TMG server can query for DNS of the internal network.
Note: DNS servers should be configured on one and only one network interface (the internal interface). If you have multiple internal DNS servers, you can put them all on the same internal interface.

To summarize what you need to configure on the internal NIC are:

• IP address
• Subnet mask
• Internal DNS servers

DMZ Interface

Third, if you have DMZ, you only need to configure IP address and subnet mask.

Network Binding Order

Last thing to consider is to ensure that the internal interface is above the external interface in network binding order so that all DNS request will be sent to internal interface first (DMZ interface should be between if you have it).
To configure network binding order, open Network Connections from Control Panel -> Network and Internet -> Network and Sharing Center -> Change adapter settings. Then, Press ALT key to open up window context menu and select Advanced -> Advanced Settings.

Make sure the internal interface is above the external interface. If not, select on the internal interface and click the green-up-arrow on right side to move it up.

What’s Next?

Now you have prepared your server, next it is time install Forefront TMG 2010 on the server.