[This article originally appeared in the "Closer to the Edge" blog at:
A high-level overview of network adapter configuration best practice is provided below:
Based upon these best practices, the configuration shown below is a tried and tested approach that can be used as part of a Forefront UAG deployment.
Configuration Step 1 – Rename Network Adapters:
Rename all network adapters to descriptive names that ideally match the connection type and UAG wizard/console names. For example:
UAG adapter connected to the trusted network: Internal Network
UAG adapter connected to the untrusted network: External Network
Tip: Matching the names is not essential; it just makes mapping networks between UAG, TMG and Windows much easier when troubleshooting…
Configuration Step 2 – Configure Network Adapters:
The Internal Network adapter will normally be connected to your trusted environment. This could be your actual internal network (LAN) or could be a private DMZ (perimeter network) if using an intranet/back firewall.
Internal Network Adapter
The External Network adapter will normally be connected to your untrusted environment. This could be your actual Internet connection if using an edge deployment, or could be a public DMZ (perimeter network) if using
an existing edge/front firewall.
External Network Adapter
Please Note: The 'File and Print Sharing for Microsoft Networks' binding on the TMG internal adapter is left at the default settings of
Enabled on the TMG Internal Network adapter. This allows for the use of the
Internal Network adapter for intra-array services when using a Forefront UAG array.
Configuration Step 3 – Amend Bind Order:
Edit the network adapter bind order to place the
Internal Network adapter at the top (highest) position and the External Network at the bottom (lowest) position. For example:
Internal Network (Highest)
External Network (Lowest)
Configuration Step 4 – Run the UAG Network Interfaces Wizard:
You should now run the UAG Network Interfaces wizard, and assign the network adapters to their respective
Internal and External connection types/roles.
Important! As you have configured the default gateway on the
External Network adapter, it is necessary to add static routes to define internal network subnets that are reached via the
Internal Network adapter but located behind routers (including VLANs on layer 3 switches) on the internal network. The use of multiple default gateways is
not supported and static routes are the recommended solution. Once you have defined the appropriate static routes, you will then need to run the
UAG Network Interfaces wizard to add the new subnets (called address ranges) to the internal network definition; these will consequently be inherited by TMG and allow correct traffic flow…
This article was originally written by:
Jason Jones, Forefront MVP
Principal Security Consultant
My Forefront Edge Blog: http://blog.msedge.org.uk/
My ISA Server Blog: http://blog.msfirewall.org.uk/
MVP Profile: https://mvp.support.microsoft.com/profile/Jason.Jones
These additions by:
Jared Poeppelman, Microsoft
excellent post, just what I needed. Cheers
Thanks, Jason. Great article!