Sign in
 
HomeProductsLibraryLearnDownloadsSupportForums
Microsoft Forefront TechCenter > Forefront Forums > Forefront TMG and ISA Server > Allow all inbound and outbound connections through TMG

Answered Allow all inbound and outbound connections through TMG

    •  
      Wednesday, February 22, 2012 8:04 PM
       
       
      Sign In to Vote
      0
      Sign In to Vote

      Hi All,

      We are implementing TMG in a back firewall topology for use as a web filter and web caching server. I would like to allow ALL traffic to pass inbound and outbound, except what is explicitly denied. I understand TMG is not a router, although our Cisco firewall is already handling the incoming traffic exceptionally well. I would just like to stop staff from visiting youtube, facebook, myspace, and file sharing sites on their free time which is chewing through our bandwidth (mainly the youtube). With Regex rules in place users can still hit these sites by IP address or prefixing HTTPS so the Cisco firewall is far from ideal. Spending a few hours on this is quicker for me than rewriting firewall rules and looking up IP address blocks on ARIN for all the sites to block.

      We are a software firm, our employees know all the methods to get around things. We have tried DNS to 127.0.0.1, regex rules in the firewall, and even websense. TMG seems to perform what we want best. My question is, can the above me done or will we have NAT problems? Can TMG route,filter and cache without performing NAT?

      Thanks,

      John

       

    Answers

    • Wednesday, February 22, 2012 9:26 PM
      Moderator
       
       Answered
      Sign In to Vote
      0
      Sign In to Vote

      Hi All,

      We are implementing TMG in a back firewall topology for use as a web filter and web caching server. I would like to allow ALL traffic to pass inbound and outbound, except what is explicitly denied. I understand TMG is not a router, although our Cisco firewall is already handling the incoming traffic exceptionally well. I would just like to stop staff from visiting youtube, facebook, myspace, and file sharing sites on their free time which is chewing through our bandwidth (mainly the youtube). With Regex rules in place users can still hit these sites by IP address or prefixing HTTPS so the Cisco firewall is far from ideal. Spending a few hours on this is quicker for me than rewriting firewall rules and looking up IP address blocks on ARIN for all the sites to block.

      We are a software firm, our employees know all the methods to get around things. We have tried DNS to 127.0.0.1, regex rules in the firewall, and even websense. TMG seems to perform what we want best. My question is, can the above me done or will we have NAT problems? Can TMG route,filter and cache without performing NAT?

      Thanks,

      John

      Hi John,

      TMG is not just a web proxy, it is also an enterprise class firewall (EAL4+ certified in fact), so can easily be used as a front or back firewall. Given it is application-awareness and functionality I would propose/argue it is likely even more secure than your existing Cisco firewall ;)

      As indicated by mark you can define network rules that allow the firewall to either NAT or route, as required. So it can be "a router" if thats what you want!

      By default the HTTP protocol is bound to the web proxy filter whcih will naturally proxy the outbound traffic and hence the original source IP will be the TMG server and not the original client. For other protocols, they will inherit the mode defined in the network rules and you can employ NAT or route modes.

      The most functional location for TMG is inline between your LAN and the internal interace of your existing Cisco firewall, thereby creating a back to back firewall topology. I would use the edge firewall template in TMG and configure the internal interface of TMG to become the default gateway for outbound Internet traffic. In this topology you can join TMG to the domain to gain user level control (with the TMG client too) to give you a lot of granularity and control.

      Cheers

      JJ

      Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

       
    • Thursday, February 23, 2012 12:26 AM
      Moderator
       
       Answered
      Sign In to Vote
      0
      Sign In to Vote

      Ok, If you have an "empty perimeter" network without hosts, it is sometimes easier to just use the edge template, as this negates TMG creating the perimeter network, but this is your call really...

      No, you now have a new firewall that has a deny by default approach, so it will need to mirror the existing Cisco firewall policy at the MINIMUM...

      Cheers

      JJ

      Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

       
    • Thursday, February 23, 2012 2:15 PM
      Answerer
       
       Answered
      Sign In to Vote
      0
      Sign In to Vote
      Keep in mind that if you use it as a "Back Firewall" and you choose to have it route, you may have issues with any non-web protocols you publish. Non web protocols require a NAT relationship to exist. Personally I would use the "Edge" template even if it is truly a back firewall. If you have any machines in your DMZ that you absolutely have to route to you can take care of that pretty easily.
       

    All Replies

    • Wednesday, February 22, 2012 8:13 PM
       
       
      Sign In to Vote
      0
      Sign In to Vote

      Hi,

      Yes, Under networks and then the Network rules you can specify what kind of relation ships networks has among each other. Routed or NAT.

      Best regards,
      Mark Scholman.
      Infrastructure Engineer
      Follow me on Twitter
      My Blog:TechMark's Blog

      Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

       
    • Wednesday, February 22, 2012 9:26 PM
      Moderator
       
       Answered
      Sign In to Vote
      0
      Sign In to Vote

      Hi All,

      We are implementing TMG in a back firewall topology for use as a web filter and web caching server. I would like to allow ALL traffic to pass inbound and outbound, except what is explicitly denied. I understand TMG is not a router, although our Cisco firewall is already handling the incoming traffic exceptionally well. I would just like to stop staff from visiting youtube, facebook, myspace, and file sharing sites on their free time which is chewing through our bandwidth (mainly the youtube). With Regex rules in place users can still hit these sites by IP address or prefixing HTTPS so the Cisco firewall is far from ideal. Spending a few hours on this is quicker for me than rewriting firewall rules and looking up IP address blocks on ARIN for all the sites to block.

      We are a software firm, our employees know all the methods to get around things. We have tried DNS to 127.0.0.1, regex rules in the firewall, and even websense. TMG seems to perform what we want best. My question is, can the above me done or will we have NAT problems? Can TMG route,filter and cache without performing NAT?

      Thanks,

      John

      Hi John,

      TMG is not just a web proxy, it is also an enterprise class firewall (EAL4+ certified in fact), so can easily be used as a front or back firewall. Given it is application-awareness and functionality I would propose/argue it is likely even more secure than your existing Cisco firewall ;)

      As indicated by mark you can define network rules that allow the firewall to either NAT or route, as required. So it can be "a router" if thats what you want!

      By default the HTTP protocol is bound to the web proxy filter whcih will naturally proxy the outbound traffic and hence the original source IP will be the TMG server and not the original client. For other protocols, they will inherit the mode defined in the network rules and you can employ NAT or route modes.

      The most functional location for TMG is inline between your LAN and the internal interace of your existing Cisco firewall, thereby creating a back to back firewall topology. I would use the edge firewall template in TMG and configure the internal interface of TMG to become the default gateway for outbound Internet traffic. In this topology you can join TMG to the domain to gain user level control (with the TMG client too) to give you a lot of granularity and control.

      Cheers

      JJ

      Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

       
    • Wednesday, February 22, 2012 10:33 PM
       
       
      Sign In to Vote
      0
      Sign In to Vote

      Hi JJ,

      I have used the back firewall template and I will configure the routing, I just want to ensure VPN users are not blocked from RDP to their desktops. By turning on routing, all traffic will be allowed in both directions by default? Or will I need to create additional inbound rules?

      This is the proposed topology:

       
    • Thursday, February 23, 2012 12:26 AM
      Moderator
       
       Answered
      Sign In to Vote
      0
      Sign In to Vote

      Ok, If you have an "empty perimeter" network without hosts, it is sometimes easier to just use the edge template, as this negates TMG creating the perimeter network, but this is your call really...

      No, you now have a new firewall that has a deny by default approach, so it will need to mirror the existing Cisco firewall policy at the MINIMUM...

      Cheers

      JJ

      Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

       
    • Thursday, February 23, 2012 2:15 PM
      Answerer
       
       Answered
      Sign In to Vote
      0
      Sign In to Vote
      Keep in mind that if you use it as a "Back Firewall" and you choose to have it route, you may have issues with any non-web protocols you publish. Non web protocols require a NAT relationship to exist. Personally I would use the "Edge" template even if it is truly a back firewall. If you have any machines in your DMZ that you absolutely have to route to you can take care of that pretty easily.
       
    • Thursday, February 23, 2012 2:35 PM
      Moderator
       
       
      Sign In to Vote
      0
      Sign In to Vote
      Keep in mind that if you use it as a "Back Firewall" and you choose to have it route, you may have issues with any non-web protocols you publish. Non web protocols require a NAT relationship to exist. Personally I would use the "Edge" template even if it is truly a back firewall. If you have any machines in your DMZ that you absolutely have to route to you can take care of that pretty easily.

      Keith,

      Yeah, I always use edge, hence why I mentioned it...the back firewall template just seems to confuse people in my experience :)

      I thought you could solve that by getting the listener to listen on all addresses and then configure the front firewall to NAT direct to the published server address and not an address on the outside of TMG? Like this: http://blogs.isaserver.org/shinder/2008/05/14/server-publishing-rules-and-route-network-rules-for-isa-and-the-forefront-tmg/

      Pretty sure I have done that before for routed back firewall deployments with good success...

      Cheers

      JJ

      Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk