TMG2010 multiple gateways problem

Hello everyone,

Again with another TMG2010 problem, actually not a problem , a dilemma .

Attached is our network diagrams, please don't ask why the network design is really stupid but we have to do it like this temporarily (several sites,links and stuff) also the network addresses are just for explanation.

Bottom line, we have a TMG2010 in the same address pool as the Users, who are using the TMG's web proxy to access the internet.
The TMG is set as an EDGE firewall, the internal NIC have an ip in the users ip address space, and the external NIC have a public IP address
I've set the gateway on the external NIC to be the internet gateway, and removed the gateway of the internal NIC (typical EDGE firewall design)  
The problem is that the domain controller is on a third network ( ,so TMG can't reach it to do the users authentication (integrate windows domain authentication).

Simple explanation: When the user opens internet explorer (TMG is set as a proxy in it), the authentication dialog box appears, and of course will not work if i entered my user and password because TMG will not be able to see if they are correct because it can't reach the DC.

so the best way to explain this is how to let TMG reach the domain controller ?

sorry about the crappy diagram and explanation
Thank you in advance.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Keith AlabasterEnterprise ArchitectCommented:
The default gateway on the TMG extyernal nic needs to be the ip address of your external router (yours or the ISP's router).
On the TMG, add a static route either in the networking - routing tab of the gui or from a DOS/command line.

from your example,

c:\route -p add 10-10.10.0 mask

Also, make sure that the - entry is added to the list of internal IP addresses in the TMG gui
(networking - networks - internal - addresses)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Bruno PACIIT ConsultantCommented:

Nothing stupid in your network diagram and your case is absolutly common case.
As you have done, the TMG server must have only a default gateway declared on the external NIC, not on the internal one. That's good.

Now, you only have to manually add static IP routes for all your internal networks.
Instead of identify each IP subnet inside your network, and as private IP ranges can never exist on internet, you can declare the 3 static IP routes for the 3 private IP ranges (, and
On your TMG server, open a CMD console (open it as administrator).
In the CMD prompt type the following to add the static IP routes:


Have a good day
a77Author Commented:
Thank you very much guys, appreciate it
Keith AlabasterEnterprise ArchitectCommented:
Welcome :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Architecture

From novice to tech pro — start learning today.