More notes on Threat Management Gateway Arrays

Written by

Published on 31/8/2011 - Read in about 2 min (336 words)

Published under Microsoft #Forefront #network #routing #Threat Management Gateway #TMG

This article is now 11 years old! It is highly likely that this information is out of date and the author will have completely forgotten about it. Please take care when following any guidance to ensure you have up-to-date recommendations.

It seems that despite my previous experiences with TMG 2010, I still stumble when creating a TMG array. Here are some “notes to self”, which will hopefully stop me making the same mistakes next time

Get the NICs right first

In this case I came to a project after the initial installation of the array and there was no dedicated intra-array network installed. I added a new NIC to each VM and configured the IP addressing, VLANs and routing, but could not get the intra-array network to ping, let alone talk to each other. So the lesson here is to set up the servers with their NICs before you install TMG - Microsoft recommend a dedicated intra-array network and every bit of experience I have with TMG arrays confirms that.

Get the NIC Binding order right

This is simple, the order I have found to work is:

Intra-array Network
Private/Internal Network
Public/External Network

Some people recommend the Private/Internal network first, then the Intra-array, but I have found that this order works better (anyone able to dispute this or give me a reason why it should be the other way?). The key thing is that the External Network (which should be your default Gateway) is last in the binding order, which brings me to the next point…

Get the gateway and routing right

Default Gateway: The only NIC with a Default Gateway set should be the Public/External NIC
DNS: The only NIC with DNS configured should be your Private/Internal NIC
Register in DNS: The only NIC registering in DNS should be the Private/Internal NIC
Client for Microsoft Networks: Only enabled on the Private/Internal NIC
File and Print Sharing for Microsoft Networks: Only enabled on the Private/Internal NIC
NetBIOS over TCP/IP: Only enabled on the Private/Internal NIC

Add any static and persistant routes required and make sure you can access those networks before installing TMG. This allows you to get the routing right without the complication of TMG rules and firewalls.

Then, and only then, install TMG 🙂

More notes on Threat Management Gateway Arrays

Get the NICs right first

Get the NIC Binding order right

Get the gateway and routing right

Share this post