locked
TMG and Dynamic IP address RRS feed

  • Question

  • Is it possible to configure TMG with a cable modem that has a dynamic IP address? If so, can somebody point us in the right direction?

    Jay
    • Moved by Shrikant Maske Tuesday, January 19, 2010 6:14 PM As per owners request. (From:Forefront Threat Management Gateway)
    Thursday, June 18, 2009 1:14 AM

Answers

  • It is generally easier to setup the internal NIC as a static IP as the default gateway for the clients.  You should not need a third NIC unless you were setting up a DMZ.  I have always setup my own critical servers with static IP addresses as I did not want to chance anything with DNS and DHCP causing major problems.  In my case I have always viewed the TMG/ISA server as a critical server.


    Michael R. Mastro II
    Thursday, June 18, 2009 2:23 PM

All replies

  • Hi Jaygun,

    I guess it depends on how you're planning to configure the FF Server..  do you want it as an inbound or outbound proxy ? Does it have a single or multiple interfaces?

    If you were doing it as an outbound proxy, then yes, it should be possible. You would setup one interface as the LAN side, on say 192.168.1.1
    the other interface would be the WAN side, and it doens't need to be concerned at all abou what the cable modem's public dynamic address is, it just needs to be able to talk to the LAN side of the modem.

    Of course.. if you want to do inbound it becomes a bit more difficult....

    Try to give me a bit more info about what you're trying to acheive.
    Thursday, June 18, 2009 1:42 AM
  • Would you be availalbe to speak by phone? What we are trying to do is setup a TMG Server as our firewall/gateway. The box that we have has 3 nics in it.
    Behind the TMG, we have an Exchange 2007 setup.
    Jay
    Thursday, June 18, 2009 1:49 AM
  • Hi,

    yes this is possible in the same way as in ISA Server 2006, but I recommend using a router in front of TMG which deals with this work.

    http://www.isaserver.org/tutorials/How_to_Set_up_an_ISA_Server_with_a_Cable_Modem_Connection.html

    regards Marc
    www.nt-faq.de
    www.it-training-grote.de
    Thursday, June 18, 2009 1:58 AM
  • Thank you both for very quick replys. The article looks great. Couple of questions:
    It appears this article explains how to configure the external nic to connect to the WAN and automatically pick up the IP address from the Cable Provider's DHCP server, but how I do configure the internal NIC? Should it be set to a static ip that will be the default gateway for the internal clients? Do I need the third NIC?
    Jay
    • Proposed as answer by pewill Thursday, November 17, 2011 12:32 PM
    Thursday, June 18, 2009 2:05 AM
  • One moe question. What benefit would it be to put the router in front of the ISA? The router also serves as the wireless provider for my network. If we placed the router in front of the ISA then would we lose the ability to use Wifi? Sorry for all these basic questions!!
    Jay
    Thursday, June 18, 2009 2:35 AM
  • It is generally easier to setup the internal NIC as a static IP as the default gateway for the clients.  You should not need a third NIC unless you were setting up a DMZ.  I have always setup my own critical servers with static IP addresses as I did not want to chance anything with DNS and DHCP causing major problems.  In my case I have always viewed the TMG/ISA server as a critical server.


    Michael R. Mastro II
    Thursday, June 18, 2009 2:23 PM
  • I need to do something similar except I have a dual wan router and would like to keep both WAN connections connected directly to the router. I have Server 2008 running with other servers in VMware and would like to have three nics, Internal, Wan (Still with internal IP) DMZ. I'm really interested in using TMG's publishing features. I use a domain name with DDNS to route back to my network. I have tried multiple configuration options with all failing to accomplish all that I need to accomplish. Thanks for any guidance you can provide. I almost forgot to add both my wan connections are DHCP and this is my only option.
    • Edited by joetlawson Saturday, January 7, 2017 8:10 PM Added details
    Saturday, January 7, 2017 8:07 PM
  • Why would you mention the internal NIC when the question is about the WAN port. OP mentions that the cable modem assigns a dynamic IP instead of a static one.
    Monday, August 31, 2020 10:42 AM
  • Internal should ideally remain static otherwise whenever the internal IP changes, internal users will be unable to connect until the internal DNS updates to the TMG's new LAN IP. For example, if the DNS resolves tmg.corp.local to 192.168.1.1 then the IP changes to 192.168.1.11, all requests from clients for tmg.corp.local will fail until the internal DNS server updates its records to the new IP.
    Monday, August 31, 2020 10:45 AM
  • Behind the ISA/TMG, the router would have the ISA/TMG server's internal address or IP as its default gateway. If you place it in front of the ISA/TMG, then it would act as a default gateway for the ISA/TMG alone, and for wireless devices, routing directly to the Internet via the cable modem. All wired clients would be routed via the TMG/ISA to the router and from there to the cable modem.
    Monday, August 31, 2020 10:48 AM
  • The dual WAN router will have both WAN1 and WAN2 as dynamic, the internal IP will be configured as static and this will be the default gateway for the TMG/IS server. The published server should be placed in the DMZ and will have its default gateway configured to the DMZ facing IP configured on the TMG server. E.g. TMG WAN: 192.168.10.2 with default gateway 192.168.10.1 (which would be assigned to the LAN port on the Dual WAN router), and TMG DMZ IP: 192.168.3.1 and the published server would have the IP 192.168.3.10 with default gateway set to 192.168.3.1. The firewall publishing rule will have the listener on the WAN port, routing traffic to the DMZ interface/network. Your DDNS will of course point to either WAN1 or WAN2 (or both if you have redundancy option).
    Monday, August 31, 2020 10:53 AM