Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 685
  • Last Modified:

How many NICs does Forefront need?

I'm spec'ing a server for Forefront TMG.  We have 4 VLANs, and 2 ISPs.  Does that automatically mean I should have 6 NICs?  Can I use 1 NIC for ISP redundancy?

I do have L3 switches, but they are absolutely atrocious (Dell 6248) and I'd like to keep as much stress as I can off them to ensure reliability.

The VLANs are:

Staff PCs
Management (Servers, management IPs)
Public kiosk PCs
Public (anonymous unsecured) wireless
0
sbumpas
Asked:
sbumpas
  • 4
  • 3
1 Solution
 
Keith AlabasterEnterprise ArchitectCommented:
Two nics for external - one for each ISP in ISP failover mode.
one nic as a dmz for the public networks
one for internal.

Use the three-legged firewall template

0
 
sbumpasAuthor Commented:
For the internal networks, would routing be handled by TMG or by L3 network equipment?
0
 
sbumpasAuthor Commented:
I should probably ask the same question for the public networks, as you suggest they share a NIC?  I assume the NIC would be tagged, if the switches don't handle the routing?
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
Keith AlabasterEnterprise ArchitectCommented:
If they are tagged then FTMG would not be able to handle it - FTMG is not a router in itself, it uses the routing capabilitirs of the host OS. The port used by the FTMG to connect to its nearest L3 switch should be a vlan of its own or a straight subnet with the l3 switch using that subnet as its gateway to the FTMG.

0
 
sbumpasAuthor Commented:
I think I understand - the 2 internal NICs should be dedicated /30, correct?
0
 
Keith AlabasterEnterprise ArchitectCommented:
That would work fine - yes.

When you configure the FTMG wizrad, it will ask what are the internal addresses it protects. Includse ALL addresses that are contactable through the INTERNAL nic. These MUST include the network ID's and the broadcast addresses for ALL internal vlans and subnets.

i.e.
192.168.0.0 - 192.168.0.255

Do the same for the Wireless/untrusted nic.
0
 
sbumpasAuthor Commented:
Thanks again!
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now