Planning a new network topology, Comments Please: TMG/Cisco DMZ; Exchange Edge; Site to Site VPN; Web Filtering
Tuesday, February 12, 2013 10:32 PM
I've been charged with trying to correctly structure a (friend of the families) small company network, and tie in a remote office to the headquarters via VPN. I've been scouring all the whitepapers and manuals I can find before I jump in to try and plan the best way of structuring this so that it ticks all the requirements boxes and is as secure as possible. Previously they had a single 2008 R2 Server running ADDS, DNS, DHCP, Exchange 2010, and they were wanting to open this box up to the internet to allow OWA and users to receive mail on their iPhones. When I heard about this I advised them that their 'engineer' probably doesn't know what he's doing, as even I know with my dated knowledge that this isn't right! Me and my big mouth haha!
Well its been a while since I've had any involvement with this kind of work, but based on what I've read so far, I've come up with the following plan and I'd like to know if you guys think its sufficient, or can chip in with any advise on how I can improve the design, or point me in the direction of any essential reading:
The image can be found here: (copy&paste only as even though Ive verified my account here I cant post links or images for some reason)
Now the requirements that I need to fulfil:
1) Client access to the Exchange via the internet using OWA
2) Client access to Exchange from iPhone
3) Client access to Exchange via Outlook when connected to LAN at HQ or at Remote Site Office
4) Internet filter (url or keyword filtering) for users that belong to a specific security group in AD - Both at the remote site and HQ
5) Access to File Server (SRV-FS1) from clients at Remote Site Office.
Ok, so the questions that I have so far:
1) Should I let the Cisco Routers handle the Site-to-Site VPN that I will need or is it more practical to allow TMG handle the VPN?
2) How can I force internet requests from Clients at the remote site to pass through TMG filters (if they are users of the restricted group)?
3) I plan for only one physical server (SRV-VMH1) at the HQ office, which is running the 4 VMs as shown above. The server will have 5 Gigabit LAN connections, One onboard and two PCI-E HP Server Dual Port NICs. I plan to use one of the HP cards solely for the TMG Server VM, one port of which will be assigned to the public static IP from the ISP, and will be connected directly to FastEthernet 0/0 of the Cisco 1760. The other port of this card will have its address in the 10.0.0.x range of the internal network and will be connected to a Gigabit switch.
The second NIC I plan to team both ports together, and bind to the other 3 VMs.
The onboard NIC I plan to use for direct access to the VM Host.
Is this the most optimized configuration for use with TMG based on the hardware we have available?
ANY information that you can throw my way will be very much appreciated!
Tuesday, February 19, 2013 6:12 AMModerator
Thank you for the post.
“Should I let the Cisco Routers handle the Site-to-Site VPN that I will need or is it more practical to allow TMG handle the VPN?” – you can either use cisco router or TMG server handle vpn traffic.
“How can I force internet requests from Clients at the remote site to pass through TMG filters (if they are users of the restricted group)?” – you can create access rule to allow remote vpn user access internet.
“Is this the most optimized configuration for use with TMG based on the hardware we have available?” – yes, the configuration is no problem.
Nick Gu - MSFT
- Marked As Answer by Nick Gu - MSFTMicrosoft Contingent Staff, Moderator Thursday, February 21, 2013 1:35 PM
Friday, February 22, 2013 6:06 PM
Great stuff Nick, thanks!
It's always good to know your map is good before you head off trekking!