none
Forefront TMG deployment with Exchange 2010 RRS feed

  • Question

  • I am planning an Exchange 2010 deployment in a smallish company (100 users).  I intend to install HT/CAS/MB roles on a single server with no EDGE.  We have a Cisco firewall (intending to keep this) and a 3rd party Proxy server (happy to get rid of this if possible). For security reasons I am looking to put something between the HT and the firewall and Forefront TMG seems to be the Microsoft recommended solution.  I've never used ISA or TMG in the past.

    Could anyone advise the network setup for this?  I'm thinking the 3-leg perimeter might be appropriate with (as I understand it) TMG in the DMZ as a domain member, meaning the owa/activesync/outlook anywhere requests would come from outside, pass through the Cisco firewall, hit the TMG server and be passed on to the CAS in the internal network.

    So my questions would be:

    a) is my understanding of the network setup correct?  Any better alternatives?

    b) can I get rid of my existing proxy server and use rules in TMG?

    c) any good documentation you'd recommend?

    Thanks in advance

    Tuesday, August 30, 2011 9:16 AM

Answers

  • Hi,

    a) TMG/ISA is the best thing you can do for publishing Exchange webclients because of the filtering features it has. For this functionality TMG doesn't have to be a domain member you can use RADIUS or LDAP as alternative authentication methods.

    b) If you want to force authentication for outbound traffic your TMG should be member of the domain because then you can use integratet authentication.

    c) www.isaserver.org (english) or www.msisafaq.de (german)

    When you install TMG in the DMZ then the "Single Network Adapter"-Template is the right one.

    If you have any further questions feel free to ask.

    Greetings

    Christian


    Christian Groebner MVP Forefront
    Tuesday, August 30, 2011 9:31 AM
  • Hi,

    do you know the following site:

    http://technet.microsoft.com/en-us/library/cc995186.aspx

    Publishing Exchange with TMG doesn't mean that you have to use the Single Networkadapter template. You can publish Exchange with all other templates too.

    Ok, if you want to separate some networks with TMG then you'll have to use another template. You should have atleast 3 network cards (Internal, External, Wireless) in it. I would recommend to use the Backend-template and add the network for wirless later. In this scenario TMG is behind your Cisco like shown here : Internet -> Cisco -> TMG -> Internal.

    The advantage of this is that you can use integrated authentication for outbound an inbound traffic. Over the third nic you will attatch the wireless network and with the rules in TMG you can filter the access for wireless and internal clients. Because of the third nic the internal network is separated from the wireless network.

    Greetings

    Christian

     


    Christian Groebner MVP Forefront
    Tuesday, August 30, 2011 11:34 AM

All replies

  • Hi,

    a) TMG/ISA is the best thing you can do for publishing Exchange webclients because of the filtering features it has. For this functionality TMG doesn't have to be a domain member you can use RADIUS or LDAP as alternative authentication methods.

    b) If you want to force authentication for outbound traffic your TMG should be member of the domain because then you can use integratet authentication.

    c) www.isaserver.org (english) or www.msisafaq.de (german)

    When you install TMG in the DMZ then the "Single Network Adapter"-Template is the right one.

    If you have any further questions feel free to ask.

    Greetings

    Christian


    Christian Groebner MVP Forefront
    Tuesday, August 30, 2011 9:31 AM
  • Thanks for the quick response. 

    One of the issues I've had is that although there is TMG documentation, I haven't found so much specifically about Exchange with TMG.  Technet library does indeed say that having TMG in the DMZ usually means "single network adaptor" is appropriate, so from your response I assume that applies when used with Exchange too, so I'll go down that road.

    I'd also like to know some further detail about TMG.  As well as using it with Exchange, I'd like to use it as a web proxy for outgoing http from two separate networks (INSIDELAN and WIRELESS.  I'd like to keep this traffic separate through TMG and have different rules for each network (need to be able to monitor URLs and block certain sites.  Also I'd like to use TMG as an FTP proxy (so Filezilla traffic etc passes through TMG).  Can you confirm if this is possible while keeping the traffic separate?

    Tuesday, August 30, 2011 11:22 AM
  • Hi,

    do you know the following site:

    http://technet.microsoft.com/en-us/library/cc995186.aspx

    Publishing Exchange with TMG doesn't mean that you have to use the Single Networkadapter template. You can publish Exchange with all other templates too.

    Ok, if you want to separate some networks with TMG then you'll have to use another template. You should have atleast 3 network cards (Internal, External, Wireless) in it. I would recommend to use the Backend-template and add the network for wirless later. In this scenario TMG is behind your Cisco like shown here : Internet -> Cisco -> TMG -> Internal.

    The advantage of this is that you can use integrated authentication for outbound an inbound traffic. Over the third nic you will attatch the wireless network and with the rules in TMG you can filter the access for wireless and internal clients. Because of the third nic the internal network is separated from the wireless network.

    Greetings

    Christian

     


    Christian Groebner MVP Forefront
    Tuesday, August 30, 2011 11:34 AM
  • Hi Christian,

    Sorry to add up on this thread.. But i guess i need some info since i was tasked to research on forefront TMG 2010.

    Our company wants to restrict OWA usage to internal and allow to be used externally to some users only. i have read in some posts that this can only be achieved if we use TMG. is this possible?

    Thanks

    Tuesday, February 26, 2013 8:59 PM
  • Hi,

    no problem :-)

    This is easy if you have ISA Server 200x or TMG 2010. You only have to configure it like in the following article:

    http://www.isaserver.org/tutorials/publishing-outlook-web-access-microsoft-forefront-tmg.html

    Instead of allowing access to all authenticated users you can enter a restriced group of users.

    Greetings

    Christian 


    Christian Groebner MVP Forefront

    Tuesday, February 26, 2013 9:23 PM
  • i see.. Thank you so much for your reply..

    so in our company we have around 3K users and we would like to restrict 300 users from accessing OWA from the internet for security purposes and allow the rest to access OWA normally no matter they are internal or external network. That is possible right?

    We are currently using Exchange 2010. Which would you suggest i should use? ISA 2006 or TMG 2010?

    Sorry i am not yet very advanced in using ISA/TMG.

    Tuesday, February 26, 2013 10:19 PM
  • Hi,

    ok, that's the otherway now, but you can do it with TMG too. You have to allow it to all users and deny it for the other 300 users in the group. This you can configure in the publishing rule.

    You can't buy ISA or TMG anymore because Microsoft has discontinued them. So if you already have a license you can use it.

    Greetings

    Christian


    Christian Groebner MVP Forefront

    Wednesday, February 27, 2013 7:54 AM