Configuring TMG 2010 Firewall with Multiple NICs in Enterprise Network
As we know that from ISA 2004, multi-networking is supported. Multi-networking means that you can configure multiple networks on ISA Server, and then configure network and access rules that inspect and filter all network traffic among all networks. Here, we will configure multi-networking in TMG 2010 Firewall and it will remain same as in ISA Server 2004/2006.When we enable multiple networks in TMG 2010 Firewall; we must configure network rules that define how network packets will be passed between networks or between computers. For this, we should familiar with Network Rules of TMG 2010.Network rules determine network relationships between two networks where networking relationships can be NAT or ROUTE.
ROUTE Connection:- A route relationship is bidirectional
- If a routed relationship is defined from Branch to Internal network, a routed relationship also exits from Internal to Branch Network.
- In route relationship, client requests from the source network are directly routed to the destination network. The Source IP address is always preserved.
- A NAT relationship is directional.
- Addresses from the source network are always translated when passing through TMG 2010 Server
- When the source and destination Network use Private addresses, then we can use a route relationship.
- When the source Network use Private address and destination Network use Public address, then we can use a NAT relationship. Note: In the real scenario, sometimes we have to go beyond this Guru Mantra. But most of the cases this Guru Mantra will work.
Here, TMG 2010 Server has 5 NICs. They are named as Internal, Branch, LAN, DMZ and External. Branch offices use Cisco routers and are connected with head office using Cisco router with static routing and IPsec Site-to-Site VPN. Here we will focus on configuring TMG Firewall so that Head Office and branch offices can communicate with each other over Intranet and the Internet. In this scenario, we have to add all branch office internal network addresses in the TMG Server on the Branch Network (NIC Card). Then we have to add static route (all branch offices Internal Network) in TMG 2010 to reach branch offices network because TMG 2010 will not support dynamic routing.
When we install TMG 2010 Firewall, by default TMG 2010 will only detect two networks, Internal and External. TMG 2010 will not detect more than two NICs even if the Windows Server 2008 R2 recognizes more than two. For this, we have to follow some steps: 1. First create new network for branch and give the name as your design. Here we will named it as Branch. 2. Second, configure network rule; Branch Network TO Internal, LAN, DMZ as Route relationship Branch Network TO External as NAT relationship 3. At last, create Access rule to control traffic. Perform the following steps to Create New Network for Branch: 1. In the Forefront TMG console tree, Right Click on Networking >New> Network…























After we Create Network and Network Rule for Branch Network, then we have to Create Access Rule to control traffic. For this please look into my previous article on Configuring Access Rules for Internet Access in TMG 2010.
According to our network diagram, we have to work on some more steps to access branch offices to head office server zone, LAN and DMZ. And from Head office to branch offices. In our scenario, TMG 2010 Firewall is configured with 5 NICs and only Branch NIC is connecting to the branch offices network. So we must add all the branch offices internal network addresses in the branch network in the TMG. Lastly, we must add static route in the TMG Firewall to reach each branch offices from the TMG Firewall.
Perform the following steps to add branch offices Internal networks in TMG Firewall Branch Network: 1. In the Forefront TMG console tree, Click on Networking, Click Networks, right click on Branch, select Properties.








Summary: In this article I have demonstrated how to configure TMG 2010 Firewall with Multiple NICs in Enterprise Network with network diagram. This network diagram simulates one of the financial organizations in Nepal. Only the IP addresses are different. I hope this article will be useful helping You implement TMG 2010 Firewall in the Enterprise Network.
Good content I’ll definitely take benefit from it. Topology seems its a real scenario. thank you
Great article Naresh dai.. Keep it up..
Really Really useful article! Will come handy in case of similar scenarios
Nice article really helped …
Good explain
Pingback: Configuring TMG 2010 Firewall with Multiple NIC...