I'm currently in the process of negotiating a firewall change at a large network I support such that we are provided with a routed block of IPs which terminate directly on the local Forefront TMG firewall. At present, the TMG is sat behind another firewall at the ISP (don't ask!).
Present config: External IP 18.104.22.168 terminates on the ISP's firewall. If traffic matches a firewall rule, the ISP passes that traffic to an internal 10.0.0.0/22 subnet. Different public IPs provided by the ISP are mapped to different addresses in 10.0.0.0/22. Those 10.0.0.0/22 addresses are on the TMG's WAN interface and are then routed to our internal LAN ranges by the TMG on 172.16.0.0.
Although my understanding of routing is usually very good, I will openly admit that the routing techniques used out in the cloud to route traffic are not one of my strong points.
The ISP is providing us with 2 options on how our service can be configured.
Option 1: Public IP range to the WAN interface of the TMG & configuring the firewall to use proxy-ARP.
The diagrams provided show an example with the router operating on 192.168.0.6 and the firewall masquerading as 192.168.0.1-192.168.0.5 using proxy-ARP.
Option 2: The ISP router will statically route a public IP range to the WAN interface of the TMG.
The diagrams provided in this case show a router on 10.0.0.2 and a firewall WAN interface on 10.0.0.1, with notation that the router sends the external IP block to the customer firewall on 10.0.0.1
I really don't understand enough about this to make an informed decision. I understand proxy-ARP but some cursory reading tells me this doesn't seem to be supported in Forefront TMG.
Option 2 sounds very similar to the present configuration in terms of its IP routing. However, I don't understand how requests on different public IPs are handled if the TMG only has 10.0.0.1 on its public interface. How can TMG differentiate between one public IP and the other?
I would appreciate some starting direction in response to the above questions, and I'm sure I will have other questions. I can upload the diagrams provided by the ISP if required.