Tuesday, April 10, 2012

Forefront TMG With Single NIC Configuration

I'm involved in a large scale Microsoft Exchange deployment project recently. I've proposed  to use TMG server with single NIC configuration to function as reverse proxy for Exchange services.

During the discussion with my customer when we drill down to the TMG configurations, I'm asked why am I proposing TMG server with single NIC(DMZ) instead of 2 NIC(DMZ + Internal).

Well this is a good question and I would like to take this opportunity to explain the benifits of single NIC configurations.

Before that, you may want to take a look into what is the limitation of single NIC configuration here.

Lets talk about typical 2 NIC configuration like below:


The TMG is configured with 2 NICs, 1 connecting to External network and another one connecting to internal network. When the external firewall NAT the 443 traffic(for Exchange services) to TMG, first it will go through from the external network NIC then perform reverse proxy request to Exchange server via internal network NIC. Please note that in this situation the network traffic will bypass the internal firewall when it route back to Exchange server.


Where if you use single NIC configuration, it will look like this:

 When the external firewall NAT the 443 traffic to TMG, the TMG server will perform reverse proxy request (firewall to route the traffic back to Exchange server) to Exchange server with only single NIC, where it will need to go through the firewall this time without bypassing it.


In my humble personal opinion, this is a better configuration since we can utilize the internal firewall's functionality(scan for malware and etc) instead of bypassing it, it would be a waste if we deploy an inetrnal firewall and bypass it right?(and firewall is expensive!)  ;)

Anyway this is still very much depend on the situation, whether the customer's policy would allow you route traffic directly from DMZ to internal.

I hope this would help you to have a better idea on single NIC TMG deployment.


No comments:

Post a Comment