More notes on Threat Management Gateway Arrays
In this case I came to a project after the initial installation of the array and there was no dedicated intra-array network installed. I added a new NIC to each VM and configured the IP addressing, VLANs and routing, but could not get the intra-array network to ping, let alone talk to each other. So the lesson here is to set up the servers with their NICs before you install TMG - Microsoft recommend a dedicated intra-array network and every bit of experience I have with TMG arrays confirms that.
This is simple, the order I have found to work is:
- Intra-array Network
- Private/Internal Network
- Public/External Network
Some people recommend the Private/Internal network first, then the Intra-array, but I have found that this order works better (anyone able to dispute this or give me a reason why it should be the other way?). The key thing is that the External Network (which should be your default Gateway) is last in the binding order, which brings me to the next point…
- Default Gateway: The only NIC with a Default Gateway set should be the Public/External NIC
- DNS: The only NIC with DNS configured should be your Private/Internal NIC
- Register in DNS: The only NIC registering in DNS should be the Private/Internal NIC
- Client for Microsoft Networks: Only enabled on the Private/Internal NIC
- File and Print Sharing for Microsoft Networks: Only enabled on the Private/Internal NIC
- NetBIOS over TCP/IP: Only enabled on the Private/Internal NIC
Add any static and persistant routes required and make sure you can access those networks before installing TMG. This allows you to get the routing right without the complication of TMG rules and firewalls.
Then, and only then, install TMG 🙂