Saturday, November 17, 2012 10:33 PM
A little intro - I am not into security or access by trade I have a background in Exchange and wound up being assigned this task because I once supported Proxy 2.0. I was asked to use TMG to complete this but I am not sure its the right tool for the scenario. I have some training lined up but before I waste days of my time learning about TMG could someone let me know if this scenario fits the product. My sincere thanks in advance for your advice.
This large company has many sites and domains globally. They want users that login from domain A (regardless of physical site) to have access to resources in the primary corp domain. Of course there are firewalls separating many of these users from the corporate domain. What they want is a solution that 'proxies' their connections into the corp domain. Can TMG (or another product?) recognize that someone is currently logged into Domain A and allow them to automatically access resources in the Corp Domain?
Customer statement : "this is an internal network that another region would not have direct visibility to due to firewall rules not allowing all global IP networks. For those regions that do not have direct IP access through the perimeter firewall, they should go through a proxy and this proxy would give them visibility into the network as if they were at that location. It will allow 'Domain A' users and reject users from any other Domain."
What I worry about is it seems TMG / UAG are designed to publish web sites, exchange, etc or to allow use via Direct Access from another 'entity' and I think UAG / Direct Access is out because they are not 100% Windows 7 and still have XP clients. I need these people to be able to use all resources not just a published app or web space. This is why I decided to come to the forums, it seems to me that there should be a way to enable this in AD easier than a complicated 'proxy' solution.
Sunday, November 18, 2012 7:05 AM
The core issue here comes down to connectivity. For example you could publish a internal server externally and make it accessible by external users but it may not be secure for example if you publish a windows file share the data would be transmitted unencrypted.
Because Direct Access is not an option to ensure you data is secure in transmit over the internet you are really only left with two options Site-to-Site IPsec VPN tunnel or VPN Client.
What I would recommend is setting up a Site-to-Site IPsec VPN tunnels between your corporate network and remote networks, with a topology where your remote networks are perimeter networks. Then you can use TMG between your perimeter networks and your internal corporate network, creating an access rule to allow users in Domain A access to your corporate network.
Nathan Storms | The Architect Evangelist
- Proposed As Answer by Nick Gu - MSFTMicrosoft Contingent Staff, Moderator Friday, November 23, 2012 7:19 AM
- Marked As Answer by Nick Gu - MSFTMicrosoft Contingent Staff, Moderator Thursday, November 29, 2012 9:48 AM
Monday, November 19, 2012 10:01 PM
Thank you Nathan for your input.
I have continued research and thought I would add a little more...hopefully this thread can help others like me in the future.
So to continue, this is a corporate network and a single AD forest with multiple domains. The remote sites are set up with point to point links, some are just firewalled. What we are trying to do in a nutshell is get people from 'Domain A' (regardless of which of the many sites they may be in) a way to bust through our own firewalls into CORP and no one else. We are hoping TMG is the solution.
My research has shown that you can create VPN site to site connections much in the way Nathan described. You can also use AD groups to assign only certain users permission to the VPN connection.
Since these are internal corporate sites, would this be a fair proposal?
"UAG with Direct Access would have been preferred. But we do not have Windows 7 on all clients, and we do not have a certificate based option. So, we propose to use TMG VPNs with PPTP for internal point to point VPNs using Active Directory, MS-CHAPv2, and security groups for access control, authentication, and logging.
In order to proceed we would need to know if the customers corporate security and networking team would approve using PPTP. If approved we need to know # of VPN users, # of expected maximum concurrent connections, # of sites they are connecting from to begin. This info required to determine # of proc cores / RAM / network interfaces / licenses required to support the proposed solution."
Friday, November 23, 2012 7:18 AMModerator
Thank you for the post.
I agree with Nathan. DirectAccess and site to site vpn are the best choice for your scenario. Once you have established the vpn connection, you can create user-based policy to control the traffic.
Nick Gu - MSFT