Configuring TMG 2010 Firewall with Multiple NICs in Enterprise Network

As we know that from ISA 2004, multi-networking is supported. Multi-networking means that you can configure multiple networks on ISA Server, and then configure network and access rules that inspect and filter all network traffic among all networks. Here, we will configure multi-networking in TMG 2010 Firewall and it will remain same as in ISA Server 2004/2006.When we enable multiple networks in TMG 2010 Firewall; we must configure network rules that define how network packets will be passed between networks or between computers.

For this, we should familiar with Network Rules of TMG 2010.Network rules determine network relationships between two networks where networking relationships can be NAT or ROUTE.

ROUTE Connection:

• A route relationship is bidirectional
• If a routed relationship is defined from Branch to Internal network, a routed relationship also exits from Internal to Branch Network.
• In route relationship, client requests from the source network are directly routed to the destination network. The Source IP address is always preserved.

NAT Connections:

• A NAT relationship is directional.
• Addresses from the source network are always translated when passing through TMG 2010 Server

Guru Mantra on when to use NAT or ROUTE relationship:

• When the source and destination Network use Private addresses, then we can use a route relationship.
• When the source Network use Private address and destination Network use Public address, then we can use a NAT relationship.
  Note: In the real scenario, sometimes we have to go beyond this Guru Mantra. But most of the cases this Guru Mantra will work.

Here, TMG 2010 Server has 5 NICs. They are named as Internal, Branch, LAN, DMZ and External. Branch offices use Cisco routers and are connected with head office using Cisco router with static routing and IPsec Site-to-Site VPN. Here we will focus on configuring TMG Firewall so that Head Office and branch offices can communicate with each other over Intranet and the Internet. In this scenario, we have to add all branch office internal network addresses in the TMG Server on the Branch Network (NIC Card). Then we have to add static route (all branch offices Internal Network) in TMG 2010 to reach branch offices network because TMG 2010 will not support dynamic routing.

When we install TMG 2010 Firewall, by default TMG 2010 will only detect two networks, Internal and External. TMG 2010 will not detect more than two NICs even if the Windows Server 2008 R2 recognizes more than two.

For this, we have to follow some steps:

1.  First create new network for branch and give the name as your design. Here we will
named it as Branch.
2.  Second, configure network rule;
Branch Network               TO          Internal, LAN, DMZ as Route relationship
       Branch Network               TO          External as NAT relationship
3.  At last, create Access rule to control traffic.

Perform the following steps to Create New Network for Branch:

1. In the Forefront TMG console tree, Right Click on Networking >New> Network…

2. On the Welcome to the New Network Wizard page, type Branch in the Network Name box and click Next.

3. On the New Network Wizard page, select Internal Network and click Next.

4. On the Network Addresses page, click on Add Adapter, select Branch on select Network Adapter page and then click OK. Click Next.

5. On the Completing the New Network Wizard page, click Finish. Click Apply to save changes and update the configuration. Then again click Apply and click OK to Saving Configuration Changes.

Perform the following steps to Create a Network Rule for Branch:

1. In the Forefront TMG console tree, Right Click on Networking>New>Network Rule…

2. On the Welcome to the New Network Rule Wizard page, type Branch to Internal, LAN & DMZ in the Network Rule name box and click Next.

3. On the Network Traffic Sources page, click Add, in the Network entities, expand Networks and select Branch and click Add and then click close.

4. On the Network Traffic Source page, click Next.

5. On the Network Traffic Destination page, click Add, In the Network entities, expand Networks and select Internal, LAN and DMZ, click Add and then click close.

6. On the Network Traffic Destinations page, click Next.

7. On the Network Relationship page, select Route and click Next.

8. On the Completing the New Network Rule Wizard page, click Finish. Click Apply to save changes and update the configuration. Then again click Apply and click OK to Saving Configuration Changes.

9. Apart from this, create a Network Rule for Branch to External as NAT Network Relationship to access the Internet.

After we Create Network and Network Rule for Branch Network, then we have to Create Access Rule to control traffic. For this please look into my previous article on Configuring Access Rules for Internet Access in TMG 2010.

According to our network diagram, we have to work on some more steps to access branch offices to head office server zone, LAN and DMZ. And from Head office to branch offices. In our scenario, TMG 2010 Firewall is configured with 5 NICs and only Branch NIC is connecting to the branch offices network. So we must add all the branch offices internal network addresses in the branch network in the TMG. Lastly, we must add static route in the TMG Firewall to reach each branch offices from the TMG Firewall.

Perform the following steps to add branch offices Internal networks in TMG Firewall Branch Network:

1. In the Forefront TMG console tree, Click on Networking, Click Networks, right click on Branch, select Properties.

2. In the Branch Properties dialog box, click Addresses, click Add Range…

3. In the IP Address Range Properties dialog box, type the branch offices Internal Address ranges. Here address ranges are:
192.168.202.0     192.168.202.255
                 192.168.203.0     192.168.203.255
                 192.168.204.0     192.168.204.255

Then click OK to close Branch Properties. Click Apply to save changes and update the configuration. Then again click Apply and click OK to Saving Configuration Changes.

Perform the following steps to add static route in TMG 2010 Firewall:

1. Open the command prompt at the TMG 2010, type the following commands to add static route to reach branch offices.

C:\> route add 192.168.202.0 mask 255.255.255.0 192.168.100.2 -p
C:\> route add 192.168.203.0 mask 255.255.255.0 192.168.100.2 -p
C:\> route add 192.168.204.0 mask 255.255.255.0 192.168.100.2 –p

Note: -p for permanent route

C:\> route print                (To check the static route)
=============================================================
Persistent Routes:

  Network Address        Netmask                Gateway Address         Metric
 192.168.202.0               255.255.255.0             192.168.100.2                      1
192.168.203.0               255.255.255.0             192.168.100.2                      1
192.168.204.0               255.255.255.0             192.168.100.2                      1
0.0.0.0                                0.0.0.0                         202.52.X.X                            1

=============================================================

On the Head Office Router, add the following static route:

ip route 0.0.0.0 0.0.0.0 192.168.100.1

ip route 192.168.202.0 255.255.255.0 172.16.240.2

ip route 192.168.203.0 255.255.255.0 172.16.240.3

ip route 192.168.204.0 255.255.255.0 172.16.240.4

On the each Branch Office Router, add the default route to Head Office:

ip route 0.0.0.0 0.0.0.0 172.16.240.1

 

Summary:

In this article I have demonstrated how to configure TMG 2010 Firewall with Multiple NICs in Enterprise Network with network diagram. This network diagram simulates one of the financial organizations in Nepal. Only the IP addresses are different. I hope this article will be useful helping You implement TMG 2010 Firewall in the Enterprise Network.