Configuring TMG 2010 Firewall with Multiple NICs in Enterprise Network
As we know that from ISA 2004, multi-networking is supported. Multi-networking means that you can configure multiple networks on ISA Server, and then configure network and access rules that inspect and filter all network traffic among all networks. Here, we will configure multi-networking in TMG 2010 Firewall and it will remain same as in ISA Server 2004/2006.When we enable multiple networks in TMG 2010 Firewall; we must configure network rules that define how network packets will be passed between networks or between computers. For this, we should familiar with Network Rules of TMG 2010.Network rules determine network relationships between two networks where networking relationships can be NAT or ROUTE.ROUTE Connection:
- A route relationship is bidirectional
- If a routed relationship is defined from Branch to Internal network, a routed relationship also exits from Internal to Branch Network.
- In route relationship, client requests from the source network are directly routed to the destination network. The Source IP address is always preserved.
- A NAT relationship is directional.
- Addresses from the source network are always translated when passing through TMG 2010 Server
- When the source and destination Network use Private addresses, then we can use a route relationship.
- When the source Network use Private address and destination Network use Public address, then we can use a NAT relationship. Note: In the real scenario, sometimes we have to go beyond this Guru Mantra. But most of the cases this Guru Mantra will work.
Here, TMG 2010 Server has 5 NICs. They are named as Internal, Branch, LAN, DMZ and External. Branch offices use Cisco routers and are connected with head office using Cisco router with static routing and IPsec Site-to-Site VPN. Here we will focus on configuring TMG Firewall so that Head Office and branch offices can communicate with each other over Intranet and the Internet. In this scenario, we have to add all branch office internal network addresses in the TMG Server on the Branch Network (NIC Card). Then we have to add static route (all branch offices Internal Network) in TMG 2010 to reach branch offices network because TMG 2010 will not support dynamic routing.
After we Create Network and Network Rule for Branch Network, then we have to Create Access Rule to control traffic. For this please look into my previous article on Configuring Access Rules for Internet Access in TMG 2010.
According to our network diagram, we have to work on some more steps to access branch offices to head office server zone, LAN and DMZ. And from Head office to branch offices. In our scenario, TMG 2010 Firewall is configured with 5 NICs and only Branch NIC is connecting to the branch offices network. So we must add all the branch offices internal network addresses in the branch network in the TMG. Lastly, we must add static route in the TMG Firewall to reach each branch offices from the TMG Firewall.Perform the following steps to add branch offices Internal networks in TMG Firewall Branch Network: 1. In the Forefront TMG console tree, Click on Networking, Click Networks, right click on Branch, select Properties. 2. In the Branch Properties dialog box, click Addresses, click Add Range… 3. In the IP Address Range Properties dialog box, type the branch offices Internal Address ranges. Here address ranges are: 192.168.202.0 192.168.202.255 192.168.203.0 192.168.203.255 192.168.204.0 192.168.204.255 Then click OK to close Branch Properties. Click Apply to save changes and update the configuration. Then again click Apply and click OK to Saving Configuration Changes. Perform the following steps to add static route in TMG 2010 Firewall: 1. Open the command prompt at the TMG 2010, type the following commands to add static route to reach branch offices. C:\> route add 192.168.202.0 mask 255.255.255.0 192.168.100.2 -p C:\> route add 192.168.203.0 mask 255.255.255.0 192.168.100.2 -p C:\> route add 192.168.204.0 mask 255.255.255.0 192.168.100.2 –p Note: -p for permanent route C:\> route print (To check the static route) ============================================================= Persistent Routes: Network Address Netmask Gateway Address Metric 192.168.202.0 255.255.255.0 192.168.100.2 1 192.168.203.0 255.255.255.0 192.168.100.2 1 192.168.204.0 255.255.255.0 192.168.100.2 1 0.0.0.0 0.0.0.0 202.52.X.X 1 ============================================================= On the Head Office Router, add the following static route: ip route 0.0.0.0 0.0.0.0 192.168.100.1 ip route 192.168.202.0 255.255.255.0 172.16.240.2 ip route 192.168.203.0 255.255.255.0 172.16.240.3 ip route 192.168.204.0 255.255.255.0 172.16.240.4 On the each Branch Office Router, add the default route to Head Office: ip route 0.0.0.0 0.0.0.0 172.16.240.1
Summary: In this article I have demonstrated how to configure TMG 2010 Firewall with Multiple NICs in Enterprise Network with network diagram. This network diagram simulates one of the financial organizations in Nepal. Only the IP addresses are different. I hope this article will be useful helping You implement TMG 2010 Firewall in the Enterprise Network.