• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1017
  • Last Modified:

Dual ISP's (TMG2010) Route traffic based on AD user

Greetings everyone -

Here is my challenge :

I have 1x Cisco 2800 series router with a checkpoint FW behind it. This is in place by our corporate IT department and is out of my control.
The Checkpoint handles a site-to-site VPN over our 4 T1 lines to the corporate office where they have another Checkpoint FW / cisco router.
They currently have a content engine module installed and are filtering web content based on policies they have defined within.

My management team has asked that I come up with a way to allow certain users (management) access to sites that are blocked by the corporate filter. I have alreayd spoken with the corporate IT group and lets just say that I won't be getting any help from them.
Management has also asked that I be able to report on the internet useage and activity of the users which I don't even know if the content engine could do even if I did have access to it.
We are an enterprise size corporation but structure within corporate IT is very strange.....

My solution to this since I can't do anything with their equipment is the following:

1x TMG 2010 Standard
2x NIC's (One for LAN, one for DSL)
1x IPBinder to change the source IP.

Now I have been told that this scenario will work, but since windows doesn't support more then one default gateway (especially when they are the same metric)
I have run into issues with DNS not choosing the right interface and other things.

I basically just want to use the 1st NIC as an inline proxy / web filter for the users (including management) and simply apply a rule and use IPBinder for specific users (mgmt) to use the DSL NIC

I have searched and searched to no avail, all the multiple gateway / wan / ISP articles i've found pertain to ISA 2006 or older, or they reference the ISP redundancy of TMG which is NOT what I am after.
2 Solutions
Keith AlabasterEnterprise ArchitectCommented:
Not sure what purpose the IPbinder is serving. FTMG will perform the NAT functions when you select the front-end fiewall installation setup.
If you setup ftmg properly then this is only one dns - the internal dns server ip addresses. You put the internal dns ip addresses on both the internal and external nics.
many times a firewall like this corporate one is inserted as a way to restrict internet access. the firewall is often inserted in the network in such a way that it wont affect the users in the transit period.

so often u have a network of and a gateway of when the corporate firewall is inserted in the network it for example get
the corporate firewall has a default route of
your LAN users now begin to get a dhcp served default gw of 253 and now get filtered by the firewall.

if this is the case then u only have to change the default gw of your management pc:s and add static routes to 253 for corporate networks
Keith AlabasterEnterprise ArchitectCommented:
If only web sites then the default gw doesn't need changing, just the proxy settings introduced within the browser. If non-web sites are needed then the FTMG firewall client can be used. the static route would need to placed on the ftmg box though.
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

nationalautoresearchAuthor Commented:
Keith -

In regard to the type of traffic, it is just web traffic that he will need, but if the website he visits contains flash content, or embedded streaming video of some sort obviously I would want this traffic to come via the DSL WAN versus the Corporate WAN, would that be included in HTTP/HTTPS? Or will I have to specify those protocools directly?

Also why did everyone tell me I would need IPBinder in order to split traffic based on the source user with TMG?

I have two NIC's in TMG, one is (corporate LAN) one is (DSL)
Won't I have to use IPBinder on the rule for the specific user so that all his traffic "appears" to TMG to be coming from Otherwise it won't send that traffic out that interface due to no static route..... right?
nationalautoresearchAuthor Commented:
I am considering using "Untangle" a dedicated linux based open source solution to achieve this goal versus using TMG.

Version 7.2 supports integration with AD and may be what I need. Anyone have any experience with this product?
Keith AlabasterEnterprise ArchitectCommented:
The dsl router will be set (or should be lol) to port-forward the ports you want (or all of them if you choose) to the FTMG external nic so no, you do not need IPbinder.
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now