Solved

Threat Management Gateway Configuration

Posted on 2012-03-14
7
734 Views
Last Modified: 2012-03-21
Current configuration -
1 Cisco ASA with 3 interfaces configured, 1 - Internet, 1 - LAN, and 1 - DMZ
1 Edge Transport server connected to the DMZ
2 CAS/HT in a CAS Array with MS NLB connected to  the LAN
2 Mailbox servers connected to the LAN with failover clustering

I have created an Edge Subscription and the Test-EdgeSynchronization all worked and mail passes from the Internet through the Edge server and to the HTs, and of course then to the Mailbox servers. My problem is that when I install TMG, the EdgeSync fails, unable to connect to LDAP server. So it's for sure something with TMG. I had it set up with a single NIC and am seeing some postings out there that this might not be the best design. Is it possible that's why this isn't working? Any suggestions or help in a step-by-step configuration for this would be great. I haven't seen anything that is exactly how my setup is and have tried all and still not working.
0
Comment
Question by:rsgdmn
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 29

Expert Comment

by:pwindell
ID: 37724845
You can't just "install TMG".  TMG was designed as a direct replacement for products such as ASA.   Introducing a TMG introduces a Topology re-design that has to be planned and accounted for.

Now in the case of a single-nic TMG, which is pretty much worthless and a waste of money considering what the product costs,...the only thing you are going to do with it is Web Caching for outbound Web Requests from the Users.   It is not going to be involved in anything else,...nothing else it going to be involved with it,...nothing else is going to know it is even there,...of even care that it is there.  

Basically it is just totally irrelevant,...and even the users can avoid it by removing their browser's proxy setting.  It cannot be used by anything at Layers 3 & 4,...and you cannot use it for anything based on Winsock,...and the Winsock Client (TMG Client) will not and cannot be used.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37728110
<I haven't seen anything that is exactly how my setup is and have tried all and still not working.>

That's a worry.... please provide a diagram of what you DO have.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 37729841
<I haven't seen anything that is exactly how my setup is and have tried all and still not working.>

At the risk of sounding blunt,....that would imply then that you did it wrong.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:rsgdmn
ID: 37730047
Yeah, I guess I did do it wrong. I was originally told if I'm going to use ActiveSync and OWA without having to use VPN that I should have an Edge Transport server so I don't have a public facing server with a full version of AD on it, such as my CAS/HT servers. Then I found out that ActiveSync and OWA won't connect to the Edge, they need to connect to a CAS, and in order to avoid having your CAS public facing, you install TMG on the Edge. So it's been a step-by-step learning process.

The Edge worked fine in the DMZ with a single NIC but, as I mentioned, that didn't solve my ActiveSync and OWA issues. So I added TMG, which does have an option in the setup for a single NIC, but I see now that's not what I need. I opened a case with MS and they said a single NIC wasn't supported with what I'm doing so he cancelled that call. But he told me to use 2 NICs and use the use the Edge topology template in TMG because it would be easier to configure that way.

I have added a 2nd NIC on the Edge/TMG server and have configured it with an IP Address from my LAN (172.16.106.109) and connected it to my LAN switch without configuring a default gateway or DNS servers. I also unchecked the register in DNS setting so it doesn't register. I've configured the other NIC with a DMZ IP Address (10.10.105.101) and set the default gateway to the DMZ interface on my Cisco ASA and public DNS servers. Am I on the right path? Does this setup make sense?
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 37730225
Not quite.

The internal nic should not have a default gateway but MUST have DNS ebtries - these entries should point to your INTERNAL dns servers on the LAN. The external nic DOES have a default gateway but BLANK dns entries. Botton line, TMG looks inward for dns resolution - when it needs to know about outside stuff it asks the internal dns servers to resolve the addresses.
0
 

Author Comment

by:rsgdmn
ID: 37743579
Thanks. I did get it setup and kind of working. I have had some successful EdgeSyncs, however, for every successful one I have I seem to find a whole slew of them when I query the logs that are being denied connection by the default firewall policy. Yet a short time later it will show it checked the LDAPS policy and allowed it, and then go back to failing. I opened a case with MS to help figure it out. But I do seem to have user info when I query LDAP on the Edge now. I just want to see the errors go away before NATing my email traffic through this server. This was a little more than I was expecting, but I'm learning a lot, which is always good.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37743876
Run up the best practice analyser and see what you get.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question