ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.
One of a set of tools we're offering as a way to say thank you for being a part of the community.
Threat Management Gateway Replacing PIX
Hi I am installing on a brand new infrastructure, 2 new TMG 2010 servers, running on W2008 Standard.
Each server has its own IP of course. The plan is to create an array of TMG to allow redundancy and load balancing.
Currently we have a PIX, which is being removed. This is connected to a modem, and also to a switch (2960). Routing was moved recently from the PIX to the core 3560.
PIX therefore currently supplys just internet access.
Can I do the following? The 2 TMG's are also on the layer3 3560. They are not connected directly to the modem. Can I connect the modem to the router, and then control firewall via TMG array? If so how?
Or should the 2 TMG servers be connected to the modem?
Bruce
Each server has its own IP of course. The plan is to create an array of TMG to allow redundancy and load balancing.
Currently we have a PIX, which is being removed. This is connected to a modem, and also to a switch (2960). Routing was moved recently from the PIX to the core 3560.
PIX therefore currently supplys just internet access.
Can I do the following? The 2 TMG's are also on the layer3 3560. They are not connected directly to the modem. Can I connect the modem to the router, and then control firewall via TMG array? If so how?
Or should the 2 TMG servers be connected to the modem?
Bruce
Who is Participating?
Really you would want to be on 2008 R2 but ordinary 2008 is OK as long as you have SP2 deployed also - minimum requierment.
If you are using the ISP-R features for load-balancing and failover then the FTMG's have to have a minimum of three nics installed (2 x external, one internal facing). Up to you where you put them in the topology but it is best practice to ensure that the external facing nics have a direct route to the Internet.
The main issue will be to ensure that nothing that sits between the FTMG array/pair has a route to the internal networks unless it passes through the FTMG boxes to get there. For example, if you have spare interfaces on the router sitting between FTMG and the Internet and you connect a spare interface to the internal network directly, you will likely end up with routing loops and spoofing issues.
Keith
If you are using the ISP-R features for load-balancing and failover then the FTMG's have to have a minimum of three nics installed (2 x external, one internal facing). Up to you where you put them in the topology but it is best practice to ensure that the external facing nics have a direct route to the Internet.
The main issue will be to ensure that nothing that sits between the FTMG array/pair has a route to the internal networks unless it passes through the FTMG boxes to get there. For example, if you have spare interfaces on the router sitting between FTMG and the Internet and you connect a spare interface to the internal network directly, you will likely end up with routing loops and spoofing issues.
Keith
Thanks Keith
Just to confirm it is 2008 R2 on both boxes.
What I have done is the following, both servers have a quad port card fitted, and 2 embedded NIC's, one of which will be used for ILO.
There are 2 cables coming from each quad port currently, the cables go to seperate 3560 routers and are teamed as one logical address for redundancy, thats my internal connection.
I have just cabled up 2 more lengths, the plan is to plug 1 cable into one of the 2 spare quad ports, or the remaining embedded one, not sure which is best, but anyway both these will now go directly to the modem, which has 3 spare ports. This will be the direct to external routes on both.
Can I with this planned topology, do the following.
Set up an array, assign it with a IP address and then configure it so that it balances the load and sends external out to the internet?
Just to confirm it is 2008 R2 on both boxes.
What I have done is the following, both servers have a quad port card fitted, and 2 embedded NIC's, one of which will be used for ILO.
There are 2 cables coming from each quad port currently, the cables go to seperate 3560 routers and are teamed as one logical address for redundancy, thats my internal connection.
I have just cabled up 2 more lengths, the plan is to plug 1 cable into one of the 2 spare quad ports, or the remaining embedded one, not sure which is best, but anyway both these will now go directly to the modem, which has 3 spare ports. This will be the direct to external routes on both.
Can I with this planned topology, do the following.
Set up an array, assign it with a IP address and then configure it so that it balances the load and sends external out to the internet?
Both units would have their own addresses plus the shared VIP. You would have to use NLB on the internal to balance outbound across the two FTMGs. An array in itself does not provide load-balancing. If you have the Enterprise version then you can use integrated NLB - driven from within FTMG, else it is the good, old-fashioned, normal NLB approach.
Sorry been a while since I done this.
So I connect a cable from both servers T1 and T2 to the layer3 switches, assign them unique ip addresses in the same subnet.
Then I NLB these 2 connections to become my cluster which has its own IP address
Then I also have a cable from each server going to the modem, this will be using I guess a DHCP apipa address ?
Then use TMG to connect all the above, but also config the layer 3 switches to route traffic to the shared NLB address? (currently routing to PIX ip address)?
So I connect a cable from both servers T1 and T2 to the layer3 switches, assign them unique ip addresses in the same subnet.
Then I NLB these 2 connections to become my cluster which has its own IP address
Then I also have a cable from each server going to the modem, this will be using I guess a DHCP apipa address ?
Then use TMG to connect all the above, but also config the layer 3 switches to route traffic to the shared NLB address? (currently routing to PIX ip address)?
Hang on I'm probably making this more complex than it needs to be. Okay
I have installed nlb on both servers, how do you get to integrated nlb?
I think there's an issue with nlb on the 2 internal ips because as I mentioned they are teamed to form 1 logical ip each and I don't think you can nlb teamed connections though I'll try and see if the service packs and updates for tmg2010 help.
I guess if I do get the internals balanced that's my shared VIP, then I can route traffic out to the Internet and then incoming I can copy my pix configs over so that .xxx goes to exchange etc xxy goes to sharepoint
Sorry appreciate ypur help, it's a small setup but complex for me lol
I have installed nlb on both servers, how do you get to integrated nlb?
I think there's an issue with nlb on the 2 internal ips because as I mentioned they are teamed to form 1 logical ip each and I don't think you can nlb teamed connections though I'll try and see if the service packs and updates for tmg2010 help.
I guess if I do get the internals balanced that's my shared VIP, then I can route traffic out to the Internet and then incoming I can copy my pix configs over so that .xxx goes to exchange etc xxy goes to sharepoint
Sorry appreciate ypur help, it's a small setup but complex for me lol
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
All Courses
From novice to tech pro — start learning today.
-
Course of the Month8 days, 21 hours left to enrollMonitoring and Operating a Private Cloud with System Center 2012 R2 273 lessons
