Announcement

Collapse
No announcement yet.

Introducing MS TMG as Firewall in network with existing pfSense Router + Firewall

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Introducing MS TMG as Firewall in network with existing pfSense Router + Firewall

    Here's a diagram for my nice lab:



    A little more info.

    Two Domains
    domain.com for a public website, hosted elsewhere
    internal.net for the AD domain

    What I am trying to accomplish:
    Access multiple services accessible outside of the network. To name a few, Exchange mail, a website and another secure website.

    Why am I using Microsoft Threat Management Gateway?
    So that I can access multiple resources that utilize the same ports from outside of the network on the same public IP address. Layer 7 in short. I've read this requires setting up a PTR record with your DNS provider, then once it hits TMG, it'll send/receive to whichever system it is intended for.

    Examples
    autodiscover.domain.com > WAN IP > 192.168.2.100:443
    securewebsite.domain.com > WAN IP > 192.168.2.101:443


    What I've done so far
    I'm reading up quite a bit on TMG. I don't know how to easily introduce this into the network.

    The server is set up, is added to the domain, and TMG is installed. Now comes the configuration. I'll be setting this up as an Edge firewall. I don't know if I need to do anything to the existing pfSense Router+Firewall, and I especially don't know if I need to do anything to the TMG system so it recognizes the subnets.

    Here's what I picture so far
    WAN > TMG > Router > Switch

    Any help with putting the pieces together would be much appreciated. Thank you everyone!

  • #2
    Re: Introducing MS TMG as Firewall in network with existing pfSense Router + Firewall

    If you are introducing TMG I'd remove the other router/firewall, so that there is only one edge and only one NAT device between the internet and the client network.

    TMG works best with an external IP on it's external interface, so if you only have one IP a bridged modem or something like that is useful, unless your feed already terminates in an ethernet cable with the static IP.

    PTR records are for reverse DNS, so not required for incoming clients. TMG will allow multiple websites on the same IP for port 80, distinguished by the request domain, but multiple HTTPS websites should really use multiple Web Listeners and therefore multiple IPs, as you can only bind one SSL certificate per web listener.
    BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
    sigpic
    Cruachan's Blog

    Comment


    • #3
      Re: Introducing MS TMG as Firewall in network with existing pfSense Router + Firewall

      Originally posted by cruachan View Post
      If you are introducing TMG I'd remove the other router/firewall, so that there is only one edge and only one NAT device between the internet and the client network.

      TMG works best with an external IP on it's external interface, so if you only have one IP a bridged modem or something like that is useful, unless your feed already terminates in an ethernet cable with the static IP.

      PTR records are for reverse DNS, so not required for incoming clients. TMG will allow multiple websites on the same IP for port 80, distinguished by the request domain, but multiple HTTPS websites should really use multiple Web Listeners and therefore multiple IPs, as you can only bind one SSL certificate per web listener.
      Hello Cruachan! Thank you for the reply.

      Actually, there is no modem. Being that the connection originates from Fiber, there is an ONT that converts it to Ethernet.

      Are you suggesting that TMG handle NAT+FW+Routing?

      This is what I imagine you are proposing:

      Internet - External NIC > TMG (FW+Router+NAT) < Internal NIC - LAN - Switch

      Comment


      • #4
        Re: Introducing MS TMG as Firewall in network with existing pfSense Router + Firewall

        Indeed it can, TMG as an Edge firewall requires at least 2 NICs (WAN and LAN, or more commonly referred to as Internal and External as these are the network names TMG uses) and will NAT between the two. You can also have perimeter networks if you require a DMZ or if you want two networks to share one ISP connection etc.

        If you wanted to you could have the current VLANs defined as different networks on TMG and use it to route between them.
        BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
        sigpic
        Cruachan's Blog

        Comment


        • #5
          Re: Introducing MS TMG as Firewall in network with existing pfSense Router + Firewall

          Originally posted by cruachan View Post
          Indeed it can, TMG as an Edge firewall requires at least 2 NICs (WAN and LAN, or more commonly referred to as Internal and External as these are the network names TMG uses) and will NAT between the two. You can also have perimeter networks if you require a DMZ or if you want two networks to share one ISP connection etc.

          If you wanted to you could have the current VLANs defined as different networks on TMG and use it to route between them.
          Thank you again for the reply.

          I was hoping to keep the pfSense as the router to manage VLANS and NAT, and move the Firewall to TWG. Kind of like as pictured here:



          Does that make sense? Is it bad practice? I appreciate your input, very much.

          Comment


          • #6
            Re: Introducing MS TMG as Firewall in network with existing pfSense Router + Firewall

            Personally I dislike multiple layers of NAT where possible. I don't see a need to keep the second router. If you specify all of your internal ranges as belonging to the internal range of TMG then it can handle all of your subnets, and the VLANs are still segregated by the switch. Alternatively you can specify one subnet as the internal range on TMG and the others as perimeter networks and use TMG for managing all inter and intra net traffic.

            TMG is very powerful and very configurable, so I can't really make a proper recommendation on how I would set it up without knowing your requirements.
            BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
            sigpic
            Cruachan's Blog

            Comment


            • #7
              Re: Introducing MS TMG as Firewall in network with existing pfSense Router + Firewall

              Originally posted by cruachan View Post
              Personally I dislike multiple layers of NAT where possible. I don't see a need to keep the second router. If you specify all of your internal ranges as belonging to the internal range of TMG then it can handle all of your subnets, and the VLANs are still segregated by the switch. Alternatively you can specify one subnet as the internal range on TMG and the others as perimeter networks and use TMG for managing all inter and intra net traffic.

              TMG is very powerful and very configurable, so I can't really make a proper recommendation on how I would set it up without knowing your requirements.
              Thank you for your input.

              My concern is more or less is security.

              It concerns me to have the TMG on the edge and facing the internet, especially since it also belongs to the internal domain.

              Positioning the TMG as a back firewall seems to introduce a layer of security. The front firewall (pfSense, FreeBSD) would not belong to the domain, would only forward packets that I tell it to and would be more locked down overall.

              I'll follow up shortly.

              Comment


              • #8
                Re: Introducing MS TMG as Firewall in network with existing pfSense Router + Firewall

                ISA/TMG as a domain member is not a security hole, and in fact is the recommended configuration.

                http://www.isaserver.org/tutorials/d...in-member.html

                That's a blog by Tom Shinder, who was an MS Edge MVP and now works for Microsoft.
                BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
                sigpic
                Cruachan's Blog

                Comment


                • #9
                  Re: Introducing MS TMG as Firewall in network with existing pfSense Router + Firewall

                  Originally posted by cruachan View Post
                  ISA/TMG as a domain member is not a security hole, and in fact is the recommended configuration.

                  http://www.isaserver.org/tutorials/d...in-member.html

                  That's a blog by Tom Shinder, who was an MS Edge MVP and now works for Microsoft.
                  Tom's awesome.

                  Good point. I plan on adding it as a member of the domain, otherwise I'd miss out on the management goodness.

                  Still, would placing a FreeBSD based firewall at the front end of a network mitigate risk? When compared to placing a Windows OS at the edge of a network, l would think so.

                  Comment


                  • #10
                    Re: Introducing MS TMG as Firewall in network with existing pfSense Router + Firewall

                    Adding a FreeBSD wouldn't add additional security nor risk. It would make it harder to manage.
                    TMG is placed very low in the OSI model and therefore there is no added risk on the Windows layer. In fact it would more secure the OS. Exploits are usually higher in the OSI model, like Explorer bugs, Notepad bugs etc. To mitigate such threat the attacker should go through the TMG filters to get into the OS.

                    A well configured firewall don't allow any traffic other then management traffic. So From or to the firewall itself. should be denied at all costs. It should allow traffic from external network to somewhere to a client like a web server, or allowing traffic from internal clients towards the internet.
                    Due to a well configured firewall, it will not allow any attacker entering the OS, and therefore an attacker cannot exploit the OS.

                    However, just like every other firewall you shouldn't start using internet on the firewall etc. If you use it as a firewall, threat it as a firewall.

                    On the ISAserver.org forums I've asked during development to install TMG on windows core, but due to certain dependencies it was not possible. I wish they had resolved that, since it would give TMG and Windows a bit more trust. I've had discussions about it with certain people and it was even being asked with the TMG team.

                    ANyhow, if you don't believe me about that it is safe to put a windows box on the edge then please review:
                    http://blogs.technet.com/b/isablog/a...ndows-box.aspx
                    Last edited by Dumber; 1st August 2012, 09:34.
                    Marcel
                    Technical Consultant
                    Netherlands
                    http://www.phetios.com
                    http://blog.nessus.nl

                    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                    "No matter how secure, there is always the human factor."

                    "Enjoy life today, tomorrow may never come."
                    "If you're going through hell, keep going. ~Winston Churchill"

                    Comment


                    • #11
                      Re: Introducing MS TMG as Firewall in network with existing pfSense Router + Firewall

                      Thank you for that information and I appreciate your input!

                      I deployed MS TMG using the single NIC setup for L7 capabilities including redirection.

                      When the time is right and when I learn more about this product, I believe I will reposition the TMG at the edge.

                      Comment

                      Working...
                      X