DefinIT Because if IT were easy, everyone would do it…

31Aug/112

More notes on Threat Management Gateway Arrays

Posted by Sam McGeown

It seems that despite my previous experiences with TMG 2010, I still stumble when creating a TMG array. Here are some "notes to self", which will hopefully stop me making the same mistakes next time

Get the NICs right first

In this case I came to a project after the initial installation of the array and there was no dedicated intra-array network installed. I added a new NIC to each VM and configured the IP addressing, VLANs and routing, but could not get the intra-array network to ping, let alone talk to each other. So the lesson here is to set up the servers with their NICs before you install TMG - Microsoft recommend a dedicated intra-array network and every bit of experience I have with TMG arrays confirms that.

Get the NIC Binding order right

This is simple, the order I have found to work is:

  • Intra-array Network
  • Private/Internal Network
  • Public/External Network

Some people recommend the Private/Internal network first, then the Intra-array, but I have found that this order works better (anyone able to dispute this or give me a reason why it should be the other way?). The key thing is that the External Network (which should be your default Gateway) is last in the binding order, which brings me to the next point...

Get the gateway and routing right

  • Default Gateway: The only NIC with a Default Gateway set should be the Public/External NIC
  • DNS: The only NIC with DNS configured should be your Private/Internal NIC
  • Register in DNS: The only NIC registering in DNS should be the Private/Internal NIC
  • Client for Microsoft Networks: Only enabled on the Private/Internal NIC
  • File and Print Sharing for Microsoft Networks: Only enabled on the Private/Internal NIC
  • NetBIOS over TCP/IP: Only enabled on the Private/Internal NIC

Add any static and persistant routes required and make sure you can access those networks before installing TMG. This allows you to get the routing right without the complication of TMG rules and firewalls.

Then, and only then, install TMG :)