Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Should Forefront  TMG be a member of my domain?

Posted on 2010-11-12
16
Medium Priority
?
3,603 Views
Last Modified: 2012-05-10
I'm looking at setting up FTMG in a virtual environment and using it as my primary firewall (eliminating our sonicwall hardware appliance).  Should this VM be a part of my domain, or should it be compeltely standalone since it will have a direct connection to the internet?
0
Comment
Question by:sbumpas
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 3
  • +2
16 Comments
 
LVL 6

Assisted Solution

by:Hisham_Elkouha
Hisham_Elkouha earned 100 total points
ID: 34124250
The ISA server cannot communicate users if it is not a member of the domain. But it would be more secure if you leave it workgroup, in this case you should create a rule that allow LDAP protocol between ISA and you domain controller.
0
 

Author Comment

by:sbumpas
ID: 34124272
What communication would need to take place between users?  I was planning on using it as a L2/L3 firewall specifically (we do not have anybody connecting externally).
0
 
LVL 7

Expert Comment

by:Mohamed Khairy
ID: 34125014
You can configure Microsoft Forefront Threat Management Gateway as follows:

- In workgroup mode.

- As a member of an existing corporate domain.

- In a dedicated domain that has one-way or two-way trust with the corporate domain configuration.

There are a number of considerations when deciding whether to install in domain or workgroup mode:

When access rules require internal clients to authenticate for outbound access, Forefront TMG can authenticate domain user accounts against an Active Directory directory service domain controller. Web proxy requests in a workgroup environment can be authenticated against a RADIUS server.

Firewall client requests automatically include user credentials. To authenticate these requests, Forefront TMG should belong to a domain. In a workgroup environment, you can authenticate requests with user accounts that are mirrored to accounts stored in the local Security Accounts Manager (SAM) on the Forefront TMG server, but this requires some administrative overhead for secure management.

To authenticate inbound requests to internal Web servers using domain account credentials or certificate authentication, Forefront TMG must belong to a domain. In a workgroup environment, a RADIUS or SecurID server can be used for authentication.

To authenticate virtual private network (VPN) requests using domain account credentials or certificates, Forefront TMG must belong to a domain. In a workgroup environment, a RADIUS server can be used for authentication.

You can configure VPN client user mapping to map users of operating systems other than Microsoft Windows to domain user accounts. User mapping is only supported when Forefront TMG is installed in a domain.

In a domain, you can lock down the Forefront TMG server using Group Policy, rather than by configuring only a local policy.

In a domain environment, if Active Directory is compromised, for example by an internal attack, the firewall can also be compromised, because a user with Domain Administrator rights can administer every domain member, including the server running Forefront TMG. Similarly if the firewall is compromised, the domain in which Forefront TMG is located is also at risk. By default, the Domain Admins group is in the Administrators group on the Forefront TMG server.

You can use these article and refernces where you can find your planned deployment described as a commonly used scenario and Network topology considerations:

http://technet.microsoft.com/en-us/library/dd897048.aspx
http://technet.microsoft.com/en-us/library/cc995141.aspx
http://technet.microsoft.com/en-us/library/ee796231.aspx#kjdfg947jfht

Hope these links will help you understand the key features you will lose when you implement a workgroup model.

Regards,
MKhairy

0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 

Author Comment

by:sbumpas
ID: 34125097
Thanks; from the reading material it looks like I'll be doing an edge configuration in a workgroup with ISP redundancy.  I will configure rules using subnets rather than users/groups (1/2 of my infrastructure is not ina domain).

Do you have any experience with this type of deployment?
0
 
LVL 7

Accepted Solution

by:
Mohamed Khairy earned 300 total points
ID: 34125899
Experience on what? deployments steps or guide lines?

Anyway, here is a the steps on hoe to enable Internet Service Provider (ISP) redundancy:

http://technet.microsoft.com/en-us/library/dd440984.aspx

Also you should make sure that b automatic metrics is turned off because if its not turned off so when the operating system recalculates the network selection, it may cause misalignment with Forefront TMG route cache functionality. This can interrupt communication, such as UDP communications used typically by Instant Messenger network discovery phase.

http://blogs.technet.com/b/isablog/archive/2009/10/14/the-isp-redundancy-feature-of-forefront-tmg.aspx

Hope this may helps and I am waiting for any other clarifications needed?

0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 34128304
There is no question here. If you can add your ISA/TMG server to the domain then you should.
It is line with best practice, it gives you most flexibility, it less fiddlely in respect to configuration, you need to open less ports, it simplifies things if you are publishing services.

0
 

Author Comment

by:sbumpas
ID: 34128547
Even with the TMG server is added to the domain, should it receive its' own dedicated DMZ?
0
 
LVL 10

Expert Comment

by:simonlimon
ID: 34128812
Looking at it, that TMG is a firewall it will probably be a gateway between various networks Client LAN, Server LAN and /or PErimeter network, maybe even Internet. How can it have a separate DMZ?

But I would definitely put it in a domain... Most namely you can use Kewrberos delegation, which for me is a great feature. Very user friendly but a bit more work for administrator. It works very good alongside a RADIUS one time password server or certificates with smartcards.
0
 

Author Comment

by:sbumpas
ID: 34129162
I'm planning on using TMG specifically as an edge device, with no user authentication required for Internet access.  60% of our users are on public wireless/kiosks, and are not part of our domain.  

In this scenario, what would be the benefit of kereberos delegation (I'm unfamiliar with that concept)?
0
 
LVL 10

Expert Comment

by:simonlimon
ID: 34129184
KErberos delegation is used for Delegating credentials, and is solely used in web publishing. If you don't publish any resources to the Internet with the TMG you won't need this. Also, I would suggest you read this article about domain memberships.

http://www.isaserver.org/tutorials/Debunking-Myth-that-ISA-Firewall-Should-Not-Domain-Member.html

But if you ask me, I would have TMG / ISA as a domain member...
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 34130044
There is no benefit in Kerberos delegation based on your stated activities.
0
 

Author Comment

by:sbumpas
ID: 34131254
By adding the server to the domain, will that enable per user logging for domain crdentials?  I can't find any reference to that in the administrator's guide.
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 300 total points
ID: 34131336
It makes life easier - access rules will need to be able to request and validate user credentials by setting per-rule requirements and if the server is part of the domain this simplifies matters as you can imagine.
0
 
LVL 7

Expert Comment

by:Mohamed Khairy
ID: 34131675
You can use domain groups and users on the rules and you don’t need to create to use Radius or LDAP servers to validate users credentials which in case of radius or LDAP increase the risk of account lockout.

0
 

Author Comment

by:sbumpas
ID: 34135737
One last question - I'm still a little unclear on the network design for a TMG server.  Currently, i have a VLAN dedicated to the connection between my firewall and my switch stack (think of it as a /30 network).  Would the same apply to a TMG server that's part of my LAN domain?  Seems like it would, as DNS could be set manually which would allow for domain membership without any hassle.
0
 
LVL 10

Assisted Solution

by:simonlimon
simonlimon earned 300 total points
ID: 34270385
In this scenario the tmg server would use an ip inside this network that belongs to that /30 network.

You would then proxy your clients to this as a proxy.

Or you could put the tmg in your lan, give it an ip there and proxy from your lan to the internet.

Third option would be to five tmg an ip on that 30 network and an ip on your lan. And it would be a gateway between these two networks.

But the decision is upto you.

If i were you i would have it as a gateway between the lan and /30 network. It allows greater control for the outside as you control outgoing traffic on one point
0

Featured Post

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question