Announcement

Collapse
No announcement yet.

Installing forefront tmg in a multi router environment with multiple virtual machines

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Installing forefront tmg in a multi router environment with multiple virtual machines

    Hello,
    I've planned to install tmg 2010 but very confused to get started. Here is the infrastructure of my working environment.
    We have a 20-30 employees, we have sharepoint server running on a domain controller, but only for sharepoint we get authenticated by the DC. All employees computers are in workgroup. We have 3 routers. One of the router has got static ip and the rest two of them are dynamic. Users mostly use the other 2 routers as the gateway. We 've got a server which runs hyperv with 4 guests(DC with Sharepoint, Development server, Lync server and Sql server). The host machine(server) has got 1 Nic (I have one Extra NIC to configure for TMG but not yet installed) which is connected to the router and has got a private ip address (Eg:192.x.x.2) and all other vm's have got their own ip's accordingly.
    I am planning to install the tmg in one of my VM (LYNC - since we dont use lync often and it has got more free space). How should i configure so that i protect my network and restrict users from surfing the internet and making security threat for my organization.

  • #2
    Re: Installing forefront tmg in a multi router environment with multiple virtual mach

    Sigh... Moved to perfectly good security forum just a little way below the coffee lounge...
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Installing forefront tmg in a multi router environment with multiple virtual mach

      Originally posted by shanferouze View Post
      How should i configure so that i protect my network and restrict users from surfing the internet and making security threat for my organization.
      Difficult to get a quick answer for that question as it is not as specific.
      In a nutshell though you could just put TMG on a DMZ behind your current router.
      For planning and deployment scenarios look at google as there are loads of resources available.
      Caesar's cipher - 3

      ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

      SFX JNRS FC U6 MNGR

      Comment


      • #4
        Re: Installing forefront tmg in a multi router environment with multiple virtual mach

        I suggest you spool up another VM just for TMG, not a good idea to have TMG and Lync on the same server but looks like you are restricted by Hyper V licensing...

        you can install TMG behind the router and setup TMG as HTTP proxy.
        TMG required 2 NIC, 1 for frontend traffic and 1 for backend traffic.

        On the router (or firewall if any), deny any protoocl access from client workstation but only enable access port 80 and port 443 from TMG server.

        for client workstation, you need to configure their browser to use TMG proxy server. If you have windows DHCP to lease out the IP address, you can include WPAD option in your DHCP scope.

        if all your workstations are joined to the domain, you can setup a group policy to automatically deploy proxy settings to client and prevent client to change the settings.

        Comment


        • #5
          Re: Installing forefront tmg in a multi router environment with multiple virtual mach

          I'd suggest a thorough network overhaul.

          Firstly, your routers. Determine whether you actually need them and what they do. If you DO need all 3 (and they are routers, and not just wireless APs or switches etc) then set them on static IPs.

          Then, make all your computers join the domain. There's no real good reason not to do this, and about 15 million reasons why you should. (Central management and authentication, just to start with)

          Move sharepoint off your DC. Put it on the same server as the SQL server, and have the farm all on one host (I assume this is what yo use your SQL server for.)

          As dnleong said, spool up another VM for TMG. TMG is VERY picky about it's security. If you install it on a box with something else, it's likely to break those services.

          I don't even know if lync would run and work effectively on a TMG box. dnleong may be a bit better qualified to know about this than me though.


          group policy can then be used to force all your clients to use the forefront proxy. It can also be used to centrally manage windows update services (decreasing your internet download costs) and even what applications should be installed on computers.
          Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

          Comment


          • #6
            Re: Installing forefront tmg in a multi router environment with multiple virtual mach

            I can confirm that TMG should be on it's own box- it's a beast.

            I also agree with redoing your whole network. Why do you need three routers?

            Follow tehcamel's advice. He (she?) has never steered me wrong.

            Comment


            • #7
              Re: Installing forefront tmg in a multi router environment with multiple virtual mach

              If I were you I would have only a gateway for your network (the firewall) and I would let this firewall manage all connections and routing between networks since having three routers on a network is a complete nightmare from and administrator perspective.

              Comment

              Working...
              X