This is my current scenario: there are two existing servers in a stand-alone array - TMG01 and TMG02, and over in a DR site there is a new server (TMG03) that is in the process of being built. To comply with DR, all 3 servers must have their configurations up to date, however there is no direct communication allowed between the two DMZs, so simply adding to the new server as an array member is not possible.
It seems that despite my previous experiences with TMG 2010, I still stumble when creating a TMG array. Here are some “notes to self”, which will hopefully stop me making the same mistakes next time
Get the NICs right first In this case I came to a project after the initial installation of the array and there was no dedicated intra-array network installed. I added a new NIC to each VM and configured the IP addressing, VLANs and routing, but could not get the intra-array network to ping, let alone talk to each other.
SSTP or SSL VPN connections are great for people working on client sites or behind very restrictive firewalls – they only require HTTPS (port 443) to be open to be able to connect. Unfortunately, you need to be running Windows 7 or Server 2008 (or newer) in order to make use of them. Threat Management Gateway 2010 is one option for an SSL VPN endpoint.
SSTP VPN Requirements Clients must be Windows 7/Server 2008 or newer Certificate – either commercial or an internal Certificate Authority Published CRL – SSTP clients check for the Certificate Revocation List of the CA If you already have an SSL listener (e.
Getting a SCOM 2007 R2 SCOM agent on TMG is a useful way of monitoring TMG, especially with the SCOM TMG Management Pack – it’s not exactly “out-of-the-box” functionality though, with many sources I’ve read simply stating that it can’t be done. There are some half-working solutions I’ve seen, but nothing that worked for me.
The process involves simply opening the correct ports and protocols between the TMG servers and the SCOM management servers, which after a few attempts watching the live logs, I found.
In this post I will be installing a TMG Array as a “back firewall” behind a hardware firewall. The Array will consist of two virtual servers, TMG01 and TMG02 which each have 3 NICs. One NIC will be dedicated to the LAN network, accessible internally. One NIC will be dedicated to the DMZ network, accessible to the outside world on a static mapped IP. The third NIC will be a dedicated intra-array communications NIC as per Microsoft’s recommendation.
I am mid-migration, in a co-existence setup with Exchange 2010, 2007 and 2003. So far the roles installed for Exchange 2010 are CAS, Hub and Mailbox on a single server. Into this mix I need to introduce an Edge Server, with message hygiene in the form of Forefront Protection for Exchange (FPE) and Threat Management Gateway (TMG) as a reverse proxy to publish OWA, ActiveSync et-al.
Since Edge, FPE and TMG can now all exist on a single 64-bit server, I will start with a clean installation of Windows Server 2008 R2, up to date with all the latest hot fixes.