TMG and BES
-
Tuesday, September 18, 2012 3:32 PM
Scenario - TMG deployment in the DMZ with a single network adapter (private address range). This server is acting a reverse proxy. Is it possible to act as a forward proxy with port 3101 outbound for Blackberry?
All Replies
-
Tuesday, September 18, 2012 3:42 PM
You would need to make sure TMG has an access rule to allow that type of traffic inbound and outbound, then you would need to configure your BES server to route outbound traffic to your TMG server.
Nathan Storms | The Architect Evangelist
-
Tuesday, September 18, 2012 6:08 PM
thanks for the reply, as far as i understood it outbound is all that's needed for the protocol rule as BES initiates it but the control channel is bi-directional?
the static route was in place from the BES server but network / FW department was never able to get the traffic to route via the TMG server. All I wanted to confirm was what i am trying to accomplish is technically possible with TMG using a single network adapter placed in a demilitarized zone I thought yes but was told otherwise.
-
Wednesday, September 19, 2012 8:29 AMModerator
Hi,
Thank you for the post.
In single mode, TMG is prefer to be used as a forward proxy server. and this is many limitation for single NIC: http://technet.microsoft.com/en-us/library/cc995236.aspx.
Regards,
Nick Gu - MSFT
-
Wednesday, September 19, 2012 8:40 AM
Hi
Thanks I found that article also, so the statement 'Because the Firewall service and application filters operate in the context of the Local Host network, you can use access rules to allow non-Web protocols through theForefront TMG server. ' means that this should actually work right?
-
Wednesday, September 19, 2012 11:08 AM
Hi Amig@. Not sure what that statement refers to. What I can tell you is that no firewall operates with only a single NIC and TMG is not an exception. A firewall has to isolate two -or more- networks and a single-nic machine cannot isolate anything. TMG with a single NIC is just a web proxy and thus only web proxy clients are supported. With "web proxy clients" I mean applications that are configured to use a web proxy server (v.g an Internet browser or a messenger application). Only HTTP, HTTPS and FTP downloads will be served in this scenario.
Regards
// Raúl - I love this game
-
Wednesday, September 19, 2012 12:32 PM
Thanks, for my understanding, how is accessing a custom port on the internet via a proxy server differ to a HTTP or HTTPS request? Does it mean the client needs to be proxy aware which means no routing for you with one NIC?
Could I not try a socket based FW client like the TMG firewall client on my internal BES host?
-
Wednesday, September 19, 2012 1:05 PM
Taken from: http://technet.microsoft.com/en-us/library/ee191507.aspx
Limitations of a single network adapter topology
The following limitations apply when you use the single network adapter topology:
- Server publishing and site-to-site VPN are not supported.
- SecureNAT and Forefront TMG Client traffic are not supported.
- Access rules must be configured with source addresses that use only internal IP addresses.
- Firewall policies must not refer to the external network.
So which does seem to apply to me. I am trying to create an access rule, not a server rule.
-
Wednesday, September 19, 2012 1:39 PM
Hi Amig@. From that paragraph: "SecureNAT and TMG client are not supported" means no routing and no winsock client. Regarding the statement "Access rules must be configured..." bear in mind that HTTP requests coming from web proxy clients are configured in TMG admin console just like any other rule. Source, destination, protocol...Access rules are the same no matter if TMG is acting as a web proxy or as a firewall. They are just saying that TMG only consider Internal network when having a single NIC
Regards
// Raúl - I love this game
- Marked As Answer by J_Systems Wednesday, September 19, 2012 1:46 PM
-
Wednesday, September 19, 2012 1:47 PMOK thanks for the info - I will look into another NIC then
-
Wednesday, September 19, 2012 4:49 PMGlad to help
// Raúl - I love this game
.png)
