none
ForeFront 2010 TMG and Exchange Edge Server in DMZ RRS feed

  • Question

  • (I have found several articles all hinting to the below mentioned model, but want to be clear 100% that I can do this and that I am protecting my network the best I can).

    First - I have read that with TMG I can publish the Exchange 2010 OWA access for my users to access mail when on the road.  Initial findings show a TMG server with 2 legs (some with 3 legs 0 the 3rd for the published OWA on its own). However - in each instance it appears that if I have a hardware firewall in place protecting my backbone from the internet the ForeFront server would be bridging the firewall - and woudl become the weakest point - meaning that if that server were comprimised then potentially I woudl be opening the way for backbone traffic by bypassing the firewall.

    So here is my question - my desire.  I want an Exchange 2010 Edge server in a DMZ - and I want to leverage the same hardware to have TMG running on that box - only to allow publishing of the OWA access for my users on the road.

    It would be a single NIC setup for TMG - I have read http://technet.microsoft.com/en-us/library/cc995236.aspx and it appears to make this clear I can do this.

    The model I am looking for is TMG to publish (reverse Proxy) the exchange owa access - with rules thru the firewall (hardware) and IDS to monitor - in this way traffic that attempts to jump port- will be whacked right off.

    The same box - woudl handle the Edge role - and passing mail to Exch 2010 HUB - I assume ForeFront will now need rules to allow External network inbound on 25 and 443 - 25 to localhost and 443 to internal network?

    This is where my question lies.

    1) Network definitions - 127.0.0.1 thru 127.255.255.255 is local traffic / everything not in that range is considered external?

    2) Rules - traffic from external port 25 inbound to edge?

    3) Rules - traffic from external port 443 inbound to published forefront exch OWA?

    4) I would also need to build rules thru the firewall (hardware) - would this be true - that all I need is 443 and 25 inbound destined for backbone servers?

    5) Outbound rules thru the hardware (firewall) - would all I need are 25 from HUB to Edge/TMG, 443 from CAS to Edge/TMG, and the LDP port for Edge Subscription? Or is that too simple - am I missing something?

    Thanks so much - thoughts / ideas / flaws - I am open to discussion.

    J

    Tuesday, December 7, 2010 7:50 PM

Answers

  • Hi J,

    If you need a two NIC deployment, how about connecting the external interface to the Internet and the internal interface to your hardware firewall DMZ? This article discusses that topology well: http://www.isaserver.org/tutorials/Creating-Parallel-ISA-Firewall-Configuration-Netscreen-DMZ.html

    Your comment about "if that server were compromised..." is an interesting one as ISA/TMG has never been compromised. ISA (and TMG soon too no doubt) is a EAL4+ common criteria certified firewall that can probably hold it's own as good as your hardware firewall, if not better. If you are worried about TMG, should you not also be worried about your hardware firewall? Anyhow, people don't attack firewalls anymore, they attack applications; exactly why application layer firewalls and reverse proxies are so important with many modern Internet facing applications.

    To me, one of the better topologies is to use a network firewall as the edge firewall and then supplement this with an application layer firewall (like ISA/TMG) as the back firewall. However, this often needs to be architected this way rather than something you just "drop in" later. This may help too: http://blog.msedge.org.uk/2010/08/should-i-place-forefront-tmg-at-edge-of.html

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by smurfman Friday, December 10, 2010 1:52 PM
    Wednesday, December 8, 2010 12:10 AM
    Moderator
  • Hi,

    1) yes, Single NIC for OWA/OA/EAS
    2) yes, with two NIC you can use Serverpublishing rules for non Webserver protocols. TMG has some application filters for non webserver protocols to do basic filtering (for example the SMTP filter which is able to filter SMTP verbs) but Serverpublishing is only a form of advanced Port Forwarding
    2a) yes, VLAN tagging or something like that
    3) no the authentication doesn't change when you use more than one NIC. Your authentication options depends on the decision for domain membership of TMG or not and the types of services you want to publish. There are several ways for authentication on TMG depending on published services. You will find all these information in the link "ISA Server authentication" in my other answer 


    regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de
    • Marked as answer by smurfman Friday, December 10, 2010 1:52 PM
    Wednesday, December 8, 2010 7:16 PM

All replies

  • Hi,

    if you want to use TMG as your E-Mail protection Gateway, your TMG Server needs a minimum of two NICs. With the Single Network Adapter template only Web Publishing (OWA, EAS, OA) is supported but not the required SMTP Gateway/ Filter functionality.
    Yes, for SMTP Publishing you will need port 25 and port 443 for OWA/EAS/OA
    1) In a single Network Adapter modus, everything is INTERNAL and there is no EXTERNAL!
    2) yes, if you do not want to use Edge synchronization. Please read: http://technet.microsoft.com/en-us/library/ee338733.aspx
    http://www.isaserver.org/tutorials/Configuring-using-E-Mail-protection-feature-Microsoft-Forefront-Threat-Management-Gateway-Beta-2-Part1.html
    http://www.msexchange.org/articles_tutorials/exchange-server-2010/migration-deployment/exchange-server-2010-edge-server-microsoft-threat-management-gateway.html
    3) Yes (http://www.isaserver.org/tutorials/Publishing-Outlook-Web-Access-Microsoft-Forefront-TMG.html)
    4) yes, port 443 and 25 must be open at the Firewall in front of TMG
    5) yes and the ports for TMG to communicate with your Active Directory. If TMG is domain member you have to open a lot of ports. If TMG is a member of a workgroup you have to use LDAP for user authentication in Server publishing scenarios or RADIUS for user authentication in Forward and reverse proxy scenarios!

    Please note: Your TMG requires more than one NIC for your desired configuration!


    regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de
    Tuesday, December 7, 2010 8:09 PM
  • Hi J,

    If you need a two NIC deployment, how about connecting the external interface to the Internet and the internal interface to your hardware firewall DMZ? This article discusses that topology well: http://www.isaserver.org/tutorials/Creating-Parallel-ISA-Firewall-Configuration-Netscreen-DMZ.html

    Your comment about "if that server were compromised..." is an interesting one as ISA/TMG has never been compromised. ISA (and TMG soon too no doubt) is a EAL4+ common criteria certified firewall that can probably hold it's own as good as your hardware firewall, if not better. If you are worried about TMG, should you not also be worried about your hardware firewall? Anyhow, people don't attack firewalls anymore, they attack applications; exactly why application layer firewalls and reverse proxies are so important with many modern Internet facing applications.

    To me, one of the better topologies is to use a network firewall as the edge firewall and then supplement this with an application layer firewall (like ISA/TMG) as the back firewall. However, this often needs to be architected this way rather than something you just "drop in" later. This may help too: http://blog.msedge.org.uk/2010/08/should-i-place-forefront-tmg-at-edge-of.html

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by smurfman Friday, December 10, 2010 1:52 PM
    Wednesday, December 8, 2010 12:10 AM
    Moderator
  • Jason, Marc, excellent points for consideration. 

    I am trying to digest some things...

    1) If all I am interested in is OWA publishing thru TMG only - it sounds as if a Single NIC is all I need - is this correct?  "With the Single Network Adapter template only Web Publishing (OWA, EAS, OA) is supported but not the required SMTP Gateway/ Filter functionality" in other words - do I have to use a two NIC configuration? The comment that there is no External - I am not sure I agree with - by definition everything that is not 127.0.0.1 thru 127.255.255.255 while it may be marked as Internal (http://technet.microsoft.com/en-us/library/cc995236.aspx ) is technically external as it is everythign else that is not local... bit confusing - if you can clarify.

    Originally - all I was going to doing was replacing an old SMTP Virtual Server - with Edge - I already have filtering and monitoring software running internal that would actuallact as the receive service for the Edge and then pass off to Exchange HUB.  But I wanted to be able to give access to my road users mail - without having them log into a VPN. 

    Thus I starting reading about being able to publish / reverse proxy the Client access.  The firewall people were not thrilled about bridging the firewall by allowing direct public access to the NIC residing in the same network as the firewall on my ISA/TMG server that is handling all internal traffic to the web with monitoring and filtering.  So we started looking at putting a second TMG server in the DMZ on the same box as the SMTP (Edge) just to conserve hardware and licensing etc etc.  My goal is only for allowing client access from the public untrusted network (which technically is what the SMTP receive service is doing as well - it gets mail from untrusted networks and just passes them to the filtering software - a sacrificial lamb as it were).

    So my thinking is why not just use the same IP (NIC ) already in the DMZ and allow untrusted https to connect, at which point the TMG server now in place would be the guy presenting https for the login/authentication (my understanding from your comment Marc is that I would need several AD holes in the firewall to make this happen) woudl I not need this in a 2 nic configuration? - I think I would if the box were truly in the DMZ where AD is on the backbone behind the hardware firewall and TMG is in the DMZ.  From there the traffic after authentication would be allowed to talk with exchange on the backbone (using the hardware firewall rules and IDS to monitor) with TMG only allowing the 443 traffic.

    I am not sure based on your comments above - which is the best way to go.  Lets say I wanted to use 2 NIC's -

    1) Does this mean I would place both in DMZs on the Firewall and only expose port 25 and 443 to the External Network and then allow the other traffic to route to the backbone thru the firewall?

    2) Or - Does it mean that I would place the External NIC as is in the DMZ - and the other NIC on the same network as my Firewall that attaches to the backbone and is also where my other TMG server is located - so traffic would come in on the external network go thru TMG in the DMZ then out the "internal" NIC then in the "external" NIC of my backbone TMG server thru that firewall and then to my backbone.  In effect all traffci woudl be passing thru 2 TMG firewalls and one Hardware firewall...

    3) Or would a single NIC be enough - where all I want to do is allow SMTP/HTTPS in (which I presume would be considered the "internal" network based on what a single NIC sees the IP addess as) that traffic then is allowed to pass thru the hardware filewall to the backbone.

    4) If my firewall only had one port left for a DMZ - am I stuck with a single NIC solution - in the absense of adding a switch on that DMZ and VLANs?

    Thanks so much.

    J

     

    Wednesday, December 8, 2010 2:45 PM
  • HI,

    a) if you want to publish OWA, Single NIc is sufficient. If you want to use TMG for SMTP Server publishing or as an email protection Gateway you have to use more than one NIC!
    If you only have one NIC everything is INTERNAL and there is no EXTERNAL - please read:  http://technet.microsoft.com/en-us/library/cc302586.aspx
    1) yes (Port 25 for SMTP, Port 443 for OWA/OA/EAS)
    2) If you want to use TMG in the DMZ with two NIC, one NIC must be attached to the Front Firewall and the other NIC to the Backfirewall
    3) No. If you want to publish SMTP or email protection features of TMG you must have more than one NIC
    4) TMG needs two NICs, one nIC conencted to the Front Firewall, one NIC connected to the Backfirewall. If the existing Firewalls doesn't have enough ports you must use a switch to "extend" the available ports

     


    regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de
    Wednesday, December 8, 2010 4:40 PM
  • Thanks Marc, I appreciate your comments.

    I suspected that the answer was to extend an existing port with a switch. If I was limited with ports - I suppose in that instance I would just need to have 2 VLAN on that switch one for each leg and let the firewall rules on the hardware - determine what is allowed to go where.

    1) You mention publish SMTP or email protection features of TMG (is this like the ForeFront 2010 for Echange ) AV and Malware etc etc or if the Edge role was not goign to be on this box as well -  If so and I already have a solution in place elsewhere for AV and filtering - I would be okay by the sounds of what you are saying is this correct?

    2) If I wanted to publish Pop3 access in the future - would I be able to do this as well with a Single NIC TMG solution? The reason I ask this is that I may want to allow mobile device connectivity for users not using a windows phone, but who can access a pop3 account and also avoid the extra wireless provider fees - woudl this be the way to go?

    3) For TMG and LDAP - this would really only be rules from the box in the DMZ to the backbone AD servers - TMG itself would protect any AD hacking that could take place from the internet?  The part I am getting confused with - and again - forefront question I presume... but please - talk me thru traffic:

    From the internet anywhere on port 25/443 to my Edge box in DMZ - TMG rules allow 25/443 on what I guess is considered internal even though from internet (but with one NIC that is what it would see it as) then from there the traffic is allowed or denied to the local network - local network 127.0.0.1-127.255.255.255 would go back thru DMZ / Firewall to backbone ?  LDAP rules on the box must know also that the local network is where the LDAP info must be coming and going to? 

    Thanks so much. 

    J

    Wednesday, December 8, 2010 5:01 PM
  • Hi,

    1) yes, for email protection please read: http://blogs.technet.com/b/yuridiogenes/archive/2009/08/15/forefront-tmg-email-protection.aspx. You must not use TMG as an SMTP gateway
    2) No, please read the link I provided in my other answer
    3) yes, you only need to open LDAP ports from TMG through the Backfirewall. If you want to user user authentication in Firewall rules you have to use RADIUS and when you want to use user authentication in publishing rules (OWA/EAS(OA) you have to use LDAP when TMG is not member of the doamin. Please read: http://technet.microsoft.com/en-us/library/bb794722.aspx
    4) no Single NIC with SMTP!


    regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de
    Wednesday, December 8, 2010 5:15 PM
  • Thanks

    So bottom line:

    1) If I only want to be able to publish OWA/OA Active Sync - then I can do a single NIC in the DMZ.  I can install this on the same box as my Edge Server - as I am reading that a Single NIC TMG solution - can support rules http://technet.microsoft.com/en-us/library/cc995236.aspx ( "Because the Firewall service and application filters operate in the context of the Local Host network, you can use access rules to allow non-Web protocols through theForefront TMG server." ) SMTP traffic inbound port 25 would be rule based and pass thru TMG (Edge would then handle it) and send to Exchange or SMTP on the backbone.

    2) If I want POP3 in the future along with Publishing OWA/OA - I need 2 NICs - One in DMZ as untrusted, the other as internal pointing to firewall as trusted.  This will allow me to publish both the OWA/OA and POP3 for remote user access.  TMG would handle the publishing but would simply pass the other ports?

    Again I am only talking TMG not the TMG for Exchange piece.

    And if I am limited in ports for the firewall - I need to stick a switch in there - 2 VLANs - one for DMZ public NIC one for private NIC -

    3) With a 2 NIC model - does it change how authentication works - because again the TMG server is still not part of the domain correct?

    J

     

    Wednesday, December 8, 2010 6:37 PM
  • Hi,

    1) yes, Single NIC for OWA/OA/EAS
    2) yes, with two NIC you can use Serverpublishing rules for non Webserver protocols. TMG has some application filters for non webserver protocols to do basic filtering (for example the SMTP filter which is able to filter SMTP verbs) but Serverpublishing is only a form of advanced Port Forwarding
    2a) yes, VLAN tagging or something like that
    3) no the authentication doesn't change when you use more than one NIC. Your authentication options depends on the decision for domain membership of TMG or not and the types of services you want to publish. There are several ways for authentication on TMG depending on published services. You will find all these information in the link "ISA Server authentication" in my other answer 


    regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de
    • Marked as answer by smurfman Friday, December 10, 2010 1:52 PM
    Wednesday, December 8, 2010 7:16 PM