7/29/2019 62679280-TMG-2010-and-Excahnge-2010.pdf

1/12

Install & Configure Forefront TMG Back to Back

solution with Exchange 2010 Part 1

January 13, 2011 richardkokLeave a commentGo to comments

Rate This

Last year I wrote a 2 part article on how to install and configure an Forefront TMGback to back solution with OWA 2003. A few weeks ago we migrated to Exchange 2010

so I thought to write this up again. In these articles I am explaining on how to implement

this in your company. It will be a 3 part article. In the first one I will explain the networksetup, network relationships, the TMG backend and TMG Frontend installations and

some simple firewall rules. In the second part we will be configuring OWA for exchange

2010, web publishing rules, and incoming and outgoing SMTP mail. The 3rd article willexplain how to setup Exchange Activesync and Exchange Outlook Anywhere. For this

article we are going to use the following network setup:

This is a simple setup that is used in many companies and universities. The Backend

TMG firewall (TMG-BE) will be installed and joined to the domain (test.local) and theFrontend TMG firewall (TMG-FE) will be installed and joined to a workgroup

(WORKGROUP). Our company website is hosted on the webserver and will be availablefor the ouside world. The Barracuda Appliance will listen to incoming SMTP mail andwill be used for Spam filtering and virus checking. After this check the mail will be

forwarded to the Exchange 2010 Server. Outlook Web Access (OWA), Activesync and

Outlook Anywhere will be made available as well.

TMG network relationships

http://richardkok.wordpress.com/author/richardkok/http://richardkok.wordpress.com/author/richardkok/http://richardkok.wordpress.com/2011/01/13/install-configure-forefront-tmg-back-to-back-solution-with-exchange-2010-part-1/#respond%23respondhttp://richardkok.wordpress.com/2011/01/13/install-configure-forefront-tmg-back-to-back-solution-with-exchange-2010-part-1/#comments%23commentshttp://richardkok.wordpress.com/2011/01/13/install-configure-forefront-tmg-back-to-back-solution-with-exchange-2010-part-1/#comments%23commentshttp://richardkok.files.wordpress.com/2011/01/b2bp1-01m.pnghttp://richardkok.wordpress.com/author/richardkok/http://richardkok.wordpress.com/2011/01/13/install-configure-forefront-tmg-back-to-back-solution-with-exchange-2010-part-1/#respond%23respondhttp://richardkok.wordpress.com/2011/01/13/install-configure-forefront-tmg-back-to-back-solution-with-exchange-2010-part-1/#comments%23comments

7/29/2019 62679280-TMG-2010-and-Excahnge-2010.pdf

2/12

An important issue to understand is how network relationships work in an Back to Back

solution. Dr. Thomas W. Shinder made some great articles about this and i highly

recommend reading them. They can be found here. For our network setup we use thefollowing network relationships:

As you can see we will use an ROUTE relation ship between the internal network and the

DMZ network (configured on the TMG-BE). And we will use an NAT relationship

between the DMZ and External segment (configured on the TMG-FE). Its also importantto understand that there is a NAT relationship between the internal network and the

external network (configured on the TMG-BE). For ROUTE relationships you need to

use access rules (from inside to outside and from oputside to inside). For NATrelationships you need to use access rules (from inside to outside) and publishing rules

(from outside to inside). As said normally Its not widely known that you can use

publising rules on a route relationship as well. We are going to use one when we aregoing to configure OWA.

Its also important to understand whats internal and external regarding to the TMG

firewalls. For the TMG-BE it looks like this:

http://www.isaserver.org/tutorials/Overview-ISA-TMG-Networking-ISA-Networking-Case-Study-Part1.htmlhttp://richardkok.files.wordpress.com/2011/01/b2bp1-02m.pnghttp://www.isaserver.org/tutorials/Overview-ISA-TMG-Networking-ISA-Networking-Case-Study-Part1.html

7/29/2019 62679280-TMG-2010-and-Excahnge-2010.pdf

3/12

The TMG-BE will see VLAN1, VLAN2, VLAN3, VLAN4, VLAN5 as the INTERNALnetwork. it will see VLAN6 as the PERIMETER network and VLAN7 as the

EXTERNAL network. For the TMG-FE it will look like this:

The TMG-FE will see VLAN1, VLAN2, VLAN3, VLAN4, VLAN5 and VLAN6 as the

INTERNAL network and VLAN7 as the EXTERNAL network. For our article we will

use the following ip adressing scheme:

http://richardkok.files.wordpress.com/2011/01/b2bp1-04m.pnghttp://richardkok.files.wordpress.com/2011/01/b2bp1-03m.png

7/29/2019 62679280-TMG-2010-and-Excahnge-2010.pdf

4/12

Installing the TMG-BE

Before you install TMG 2010 on your machine make sure that:

You renamed you internal NIC to something like Internal and you external NIC to

something like DMZ.

You entered all appropriate information in all NICs (according to the ipaddressing scheme)

You joined the TMG-BE to the domain

Increase performance by changing the value atHKEY_LOCAL_MACHINE\System\CurrentControlSet\NetBT\Parameters.

Change NodeType to value 2 (REG_DWORD)

Update system with latest service packs and updates

Ok. lets start the TMG 2010 Back-End installation:

Start the TMG 2010 installation and choose to run the Preparation Tool Select Forefront TMG services and Management en wait untill everything is

complete

The Forefront TMG installation will start

Enter your username, company name and serial number

http://richardkok.files.wordpress.com/2011/01/b2bp1-05m1.png

7/29/2019 62679280-TMG-2010-and-Excahnge-2010.pdf

5/12

Enter the installation path to your liking

Now we need to enter the internal network for the TMG-BE. Remember we spoke

of this before. We need to enter all subnet ips from VLAN1, VLAN2, VLAN3,VLAN4, VLAN5.

Start TMG-KB981324-AMD64-ENU.MSP to install TMG 2010 Service Pack 1.

Start TMG-KB2288910-AMD64-ENU.exe to install Update 1 for Service Pack 1. Start the TMG MMC and select Configure network settings

Select BACK FIREWALL and the INTERNAL adapter as Local Area Network

In the same window we need to add some static routes. The internal interface of

the TMG-BE does not have a default gateway configured. We need to tell theTMG-BE how to reach VLAN1, VLAN2, VLAN3 and VLAN4. The gateway

configured on the core switch will be 10.5.0.1. Lets add 4 static routes:

http://richardkok.files.wordpress.com/2011/01/b2bp1-06m.png

7/29/2019 62679280-TMG-2010-and-Excahnge-2010.pdf

6/12

Select the DMZ interface as the PERIMETER network adapter and choose a

private (ROUTE) relationship

Select configure system settings and leave everything as default

Select define deployment options and enter licenses if applicable

Close the getting started wizard

Installing TMG-FE

Before you install TMG 2010 on your machine make sure that:

You renamed you internal NIC to something like DMZ and you external NIC to

something like INTERNET.

You entered all appropriate information in all NICs (according to the ipaddressing scheme)

You joined the TMG-FE to a workgroup

Increase performance by changing the value at

HKEY_LOCAL_MACHINE\System\CurrentControlSet\NetBT\Parameters.Change NodeType to value 2 (REG_DWORD)

Update system with latest service packs and updates

http://richardkok.files.wordpress.com/2011/01/b2bp1-07m.png

7/29/2019 62679280-TMG-2010-and-Excahnge-2010.pdf

7/12

Ok. lets start the TMG 2010 Front-End installation:

Start the TMG 2010 installation and choose to run the Preparation Tool

Select Forefront TMG services and Management en wait untill everything iscomplete

The Forefront TMG installation will start Enter your username, company name and serial number

Enter the installation path to your liking Now we need to enter the internal network for the TMG-FE. We need to enter all

subnet ips from VLAN1, VLAN2, VLAN3, VLAN4, VLAN5 and VLAN6.

Start TMG-KB981324-AMD64-ENU.MSP to install TMG 2010 Service Pack 1.

Start TMG-KB2288910-AMD64-ENU.exe to install Update 1 for Service Pack 1.

Start the TMG MMC and select Configure network settings

Select EDGE FIREWALL and the DMZ adapter as Local Area Network

In the same window we need to add some static routes. The internal interface ofthe TMG-FE does not have a default gateway configured. We need to tell the

TMG-FE how to reach VLAN1, VLAN2, VLAN3, VLAN4 and VLAN5. Thegateway configured for the routes will be the external interface of the TMG-BE(10.6.0.1) Lets add 5 static routes:

http://richardkok.files.wordpress.com/2011/01/b2bp1-08m.png

7/29/2019 62679280-TMG-2010-and-Excahnge-2010.pdf

8/12

Choose the INTERNET networkadapter for the ISP connection

Select configure system settings and leave everything as default

Select define deployment options and enter licenses if applicable

Close the getting started wizard

Configuring the TMG-BE

Start the TMG MMC and goto Forefront TMG (TMG-BE) Networking

Networks tab

Richtmouseclick on the internal networks and choose properties choose thedomains tab

In the domain names box add: *.test.local

Choose the webbrowser tab and change the following: Enable Bypass proxy for webservers in this network

Enable directly access computers specified in the domains tab

Enable directly access computers specified in the addresses tab

Choose the Autodiscovery tab and enable publish automatic discovery

Configure your DNS and DHCP server for WPAD read here

Lets create some firewall rules to allow DNS, HTTP, HTTPS and FTP traffic.

Goto Forefront TMG (TMG-BE) Firewall Policy Create access rule

http://technet.microsoft.com/en-us/library/cc995261.aspxhttp://richardkok.files.wordpress.com/2011/01/b2bp1-09m.pnghttp://technet.microsoft.com/en-us/library/cc995261.aspx

7/29/2019 62679280-TMG-2010-and-Excahnge-2010.pdf

9/12

Create the following rules:

Rule Name : Allow DNS traffic from DC1

Rule Number : 1

Protocols : DNS

From : DC1 To : External

User Sets : All users Rule Name : Allow HTTP, HTTPS, FTP traffic

Rule number : 2

Protocols : HTTP, HTTPS, FTP

From : Internal Network

To : External Network

User Sets : All authenticated users

Configuring the TMG-FE

Start the TMG MMC and goto Forefront TMG (TMG-FE) Intrusion Prevention

System Behavorial Intrusion Detection tab choose configure Flood Mitigation

settings IP exceptions tab

Since there is a NAT relationship between the internal network and externalnetwork on the TMG-BE the source ip will be changed to the TMG-BE external

interface. So when the packet arrives at the TMG-FE internal interface it will see

alot of traffic coming from one ip address. Therefore we must add the externalinterface from the TMG-BE to the ip exceptions tab or else the TMG-FE will drop

traffic.

Goto Forefront TMG (TMG-FE) Firewall Policy Create access rule

Create the following rule:

Rule Name : Allow all traffic from TMG-BE

Rule number : 1

Protocols : All protocols

From : TMG-BE (external interface ip) To : External Network

User Sets : All users

Now you can test your created rules by starting a webbrowser session from the DC1. In

part 2 of this article we are going to configure OWA for exchange 2010, web publishingrules, and incoming and outgoing SMTP mail. Feel free to comment on this article.

ADVERTISEMENT

Share this:

Email

http://richardkok.wordpress.com/2011/01/13/install-configure-forefront-tmg-back-to-back-solution-with-exchange-2010-part-1/?share=email&nb=1http://richardkok.wordpress.com/2011/01/13/install-configure-forefront-tmg-back-to-back-solution-with-exchange-2010-part-1/?share=email&nb=1

7/29/2019 62679280-TMG-2010-and-Excahnge-2010.pdf

10/12

Print

Twitter

Facebook

Like this:

Like

Be the first to like this post.

Categories: Exchange 2010, Forefront TMG 2010, Windows 2008 (R2) Tags:Activesync, Back to Back, Exchange 2010, Forefront,Forefront TMG 2010,Outlook

Anywhere, OWA, TMG

Comments (5)Trackbacks (0)Leave a commentTrackback

1.

Alex

April 27, 2011 at 5:59 pm | #1

Reply | Quote

Hi Richard,

I fallowed your tutorial, but having some issues that I cant resolve:

1. On Internal Nic in TMG-FE I am getting Unidentified network.2. DNS is not working. I can open websites from internal network by IP, but not

by names.

Thank you!

o

richardkok

April 28, 2011 at 8:36 am | #2

Reply | Quote

1. You do not need to worry about that one. same here. Its pops up

because it can not find a domain or internet connection on that particularnic.

2. You have checked that you have create a rule on your backend FW that

http://richardkok.wordpress.com/2011/01/13/install-configure-forefront-tmg-back-to-back-solution-with-exchange-2010-part-1/#printhttp://richardkok.wordpress.com/2011/01/13/install-configure-forefront-tmg-back-to-back-solution-with-exchange-2010-part-1/?share=twitter&nb=1http://richardkok.wordpress.com/2011/01/13/install-configure-forefront-tmg-back-to-back-solution-with-exchange-2010-part-1/?share=facebook&nb=1http://richardkok.wordpress.com/2011/01/13/install-configure-forefront-tmg-back-to-back-solution-with-exchange-2010-part-1/?like=1&_wpnonce=84a7ad0ee7http://richardkok.wordpress.com/category/exchange-2010/http://richardkok.wordpress.com/category/forefront-tmg-2010/http://richardkok.wordpress.com/category/windows-2008-r2/http://richardkok.wordpress.com/tag/activesync/http://richardkok.wordpress.com/tag/back-to-back/http://richardkok.wordpress.com/tag/exchange-2010/http://richardkok.wordpress.com/tag/forefront/http://richardkok.wordpress.com/tag/forefront/http://richardkok.wordpress.com/tag/forefront-tmg-2010/http://richardkok.wordpress.com/tag/forefront-tmg-2010/http://richardkok.wordpress.com/tag/outlook-anywhere/http://richardkok.wordpress.com/tag/outlook-anywhere/http://richardkok.wordpress.com/tag/owa/http://richardkok.wordpress.com/tag/tmg/http://richardkok.wordpress.com/tag/tmg/http://richardkok.wordpress.com/2011/01/13/install-configure-forefront-tmg-back-to-back-solution-with-exchange-2010-part-1/#respond%23respondhttp://richardkok.wordpress.com/2011/01/13/install-configure-forefront-tmg-back-to-back-solution-with-exchange-2010-part-1/trackback/http://richardkok.wordpress.com/2011/01/13/install-configure-forefront-tmg-back-to-back-solution-with-exchange-2010-part-1/trackback/http://richardkok.wordpress.com/2011/01/13/install-configure-forefront-tmg-back-to-back-solution-with-exchange-2010-part-1/trackback/http://richardkok.wordpress.com/2011/01/13/install-configure-forefront-tmg-back-to-back-solution-with-exchange-2010-part-1/#comment-55%23comment-55http://richardkok.wordpress.com/2011/01/13/install-configure-forefront-tmg-back-to-back-solution-with-exchange-2010-part-1/?replytocom=55#respondhttp://richardkok.wordpress.com/http://richardkok.wordpress.com/2011/01/13/install-configure-forefront-tmg-back-to-back-solution-with-exchange-2010-part-1/#comment-58%23comment-58http://richardkok.wordpress.com/2011/01/13/install-configure-forefront-tmg-back-to-back-solution-with-exchange-2010-part-1/?replytocom=58#respondhttp://richardkok.wordpress.com/2011/01/13/install-configure-forefront-tmg-back-to-back-solution-with-exchange-2010-part-1/#printhttp://richardkok.wordpress.com/2011/01/13/install-configure-forefront-tmg-back-to-back-solution-with-exchange-2010-part-1/?share=twitter&nb=1http://richardkok.wordpress.com/2011/01/13/install-configure-forefront-tmg-back-to-back-solution-with-exchange-2010-part-1/?share=facebook&nb=1http://richardkok.wordpress.com/2011/01/13/install-configure-forefront-tmg-back-to-back-solution-with-exchange-2010-part-1/?like=1&_wpnonce=84a7ad0ee7http://richardkok.wordpress.com/category/exchange-2010/http://richardkok.wordpress.com/category/forefront-tmg-2010/http://richardkok.wordpress.com/category/windows-2008-r2/http://richardkok.wordpress.com/tag/activesync/http://richardkok.wordpress.com/tag/back-to-back/http://richardkok.wordpress.com/tag/exchange-2010/http://richardkok.wordpress.com/tag/forefront/http://richardkok.wordpress.com/tag/forefront-tmg-2010/http://richardkok.wordpress.com/tag/outlook-anywhere/http://richardkok.wordpress.com/tag/outlook-anywhere/http://richardkok.wordpress.com/tag/owa/http://richardkok.wordpress.com/tag/tmg/http://richardkok.wordpress.com/2011/01/13/install-configure-forefront-tmg-back-to-back-solution-with-exchange-2010-part-1/#respond%23respondhttp://richardkok.wordpress.com/2011/01/13/install-configure-forefront-tmg-back-to-back-solution-with-exchange-2010-part-1/trackback/http://richardkok.wordpress.com/2011/01/13/install-configure-forefront-tmg-back-to-back-solution-with-exchange-2010-part-1/#comment-55%23comment-55http://richardkok.wordpress.com/2011/01/13/install-configure-forefront-tmg-back-to-back-solution-with-exchange-2010-part-1/?replytocom=55#respondhttp://richardkok.wordpress.com/http://richardkok.wordpress.com/2011/01/13/install-configure-forefront-tmg-back-to-back-solution-with-exchange-2010-part-1/#comment-58%23comment-58http://richardkok.wordpress.com/2011/01/13/install-configure-forefront-tmg-back-to-back-solution-with-exchange-2010-part-1/?replytocom=58#respond

7/29/2019 62679280-TMG-2010-and-Excahnge-2010.pdf

11/12

allows DNS traffic from the dns server to external ? secondly check the

log and see why its failing (logs & reports logging tab)

2.

Alex

April 29, 2011 at 6:26 pm | #3

Reply | Quote

1. The DNS rule on BFW is created.2. There is no incoming traffic from DC in Logs and Reports. Only from BFW

Internal Nic to DC.

I can not ping external IPs from DC and member servers. I can ping external IPsfrom FFW and BFF. I also can not ping any FFW and BFW interfaces from

internal network, but this may be a normal.

The problem with DNS my be a forwarders. Since DNS server can not resolve

forwarders IPs to FQDN.

I feel something is wrong with routing.

3.

Alex

May 11, 2011 at 8:45 pm | #4

Reply | Quote

The problem was is that i forgot to setup default IP route on the switch to point to

10.5.0.10

o

richardkok

May 12, 2011 at 9:06 am | #5

Reply | Quote

http://richardkok.wordpress.com/2011/01/13/install-configure-forefront-tmg-back-to-back-solution-with-exchange-2010-part-1/#comment-59%23comment-59http://richardkok.wordpress.com/2011/01/13/install-configure-forefront-tmg-back-to-back-solution-with-exchange-2010-part-1/?replytocom=59#respondhttp://richardkok.wordpress.com/2011/01/13/install-configure-forefront-tmg-back-to-back-solution-with-exchange-2010-part-1/#comment-63%23comment-63http://richardkok.wordpress.com/2011/01/13/install-configure-forefront-tmg-back-to-back-solution-with-exchange-2010-part-1/?replytocom=63#respondhttp://richardkok.wordpress.com/http://richardkok.wordpress.com/2011/01/13/install-configure-forefront-tmg-back-to-back-solution-with-exchange-2010-part-1/#comment-64%23comment-64http://richardkok.wordpress.com/2011/01/13/install-configure-forefront-tmg-back-to-back-solution-with-exchange-2010-part-1/?replytocom=64#respondhttp://richardkok.wordpress.com/2011/01/13/install-configure-forefront-tmg-back-to-back-solution-with-exchange-2010-part-1/#comment-59%23comment-59http://richardkok.wordpress.com/2011/01/13/install-configure-forefront-tmg-back-to-back-solution-with-exchange-2010-part-1/?replytocom=59#respondhttp://richardkok.wordpress.com/2011/01/13/install-configure-forefront-tmg-back-to-back-solution-with-exchange-2010-part-1/#comment-63%23comment-63http://richardkok.wordpress.com/2011/01/13/install-configure-forefront-tmg-back-to-back-solution-with-exchange-2010-part-1/?replytocom=63#respondhttp://richardkok.wordpress.com/http://richardkok.wordpress.com/2011/01/13/install-configure-forefront-tmg-back-to-back-solution-with-exchange-2010-part-1/#comment-64%23comment-64http://richardkok.wordpress.com/2011/01/13/install-configure-forefront-tmg-back-to-back-solution-with-exchange-2010-part-1/?replytocom=64#respond

7/29/2019 62679280-TMG-2010-and-Excahnge-2010.pdf

12/12

Glad to hear you resolved it Alex. THX for the feedback.