Dual ISP's (TMG2010) Route traffic based on AD user

Greetings everyone -

Here is my challenge :

I have 1x Cisco 2800 series router with a checkpoint FW behind it. This is in place by our corporate IT department and is out of my control.
The Checkpoint handles a site-to-site VPN over our 4 T1 lines to the corporate office where they have another Checkpoint FW / cisco router.
They currently have a content engine module installed and are filtering web content based on policies they have defined within.

My management team has asked that I come up with a way to allow certain users (management) access to sites that are blocked by the corporate filter. I have alreayd spoken with the corporate IT group and lets just say that I won't be getting any help from them.
Management has also asked that I be able to report on the internet useage and activity of the users which I don't even know if the content engine could do even if I did have access to it.
We are an enterprise size corporation but structure within corporate IT is very strange.....

My solution to this since I can't do anything with their equipment is the following:

1x TMG 2010 Standard
2x NIC's (One for LAN, one for DSL)
1x IPBinder to change the source IP.

Now I have been told that this scenario will work, but since windows doesn't support more then one default gateway (especially when they are the same metric)
I have run into issues with DNS not choosing the right interface and other things.

I basically just want to use the 1st NIC as an inline proxy / web filter for the users (including management) and simply apply a rule and use IPBinder for specific users (mgmt) to use the DSL NIC

I have searched and searched to no avail, all the multiple gateway / wan / ISP articles i've found pertain to ISA 2006 or older, or they reference the ISP redundancy of TMG which is NOT what I am after.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Keith AlabasterEnterprise ArchitectCommented:
Not sure what purpose the IPbinder is serving. FTMG will perform the NAT functions when you select the front-end fiewall installation setup.
If you setup ftmg properly then this is only one dns - the internal dns server ip addresses. You put the internal dns ip addresses on both the internal and external nics.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
many times a firewall like this corporate one is inserted as a way to restrict internet access. the firewall is often inserted in the network in such a way that it wont affect the users in the transit period.

so often u have a network of and a gateway of when the corporate firewall is inserted in the network it for example get
the corporate firewall has a default route of
your LAN users now begin to get a dhcp served default gw of 253 and now get filtered by the firewall.

if this is the case then u only have to change the default gw of your management pc:s and add static routes to 253 for corporate networks
Keith AlabasterEnterprise ArchitectCommented:
If only web sites then the default gw doesn't need changing, just the proxy settings introduced within the browser. If non-web sites are needed then the FTMG firewall client can be used. the static route would need to placed on the ftmg box though.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

nationalautoresearchAuthor Commented:
Keith -

In regard to the type of traffic, it is just web traffic that he will need, but if the website he visits contains flash content, or embedded streaming video of some sort obviously I would want this traffic to come via the DSL WAN versus the Corporate WAN, would that be included in HTTP/HTTPS? Or will I have to specify those protocools directly?

Also why did everyone tell me I would need IPBinder in order to split traffic based on the source user with TMG?

I have two NIC's in TMG, one is (corporate LAN) one is (DSL)
Won't I have to use IPBinder on the rule for the specific user so that all his traffic "appears" to TMG to be coming from Otherwise it won't send that traffic out that interface due to no static route..... right?
nationalautoresearchAuthor Commented:
I am considering using "Untangle" a dedicated linux based open source solution to achieve this goal versus using TMG.

Version 7.2 supports integration with AD and may be what I need. Anyone have any experience with this product?
Keith AlabasterEnterprise ArchitectCommented:
The dsl router will be set (or should be lol) to port-forward the ports you want (or all of them if you choose) to the FTMG external nic so no, you do not need IPbinder.
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Architecture

From novice to tech pro — start learning today.