Avatar of Rick Goodman
Rick Goodman asked on

Threat Management Gateway Configuration

Current configuration -
1 Cisco ASA with 3 interfaces configured, 1 - Internet, 1 - LAN, and 1 - DMZ
1 Edge Transport server connected to the DMZ
2 CAS/HT in a CAS Array with MS NLB connected to  the LAN
2 Mailbox servers connected to the LAN with failover clustering

I have created an Edge Subscription and the Test-EdgeSynchronization all worked and mail passes from the Internet through the Edge server and to the HTs, and of course then to the Mailbox servers. My problem is that when I install TMG, the EdgeSync fails, unable to connect to LDAP server. So it's for sure something with TMG. I had it set up with a single NIC and am seeing some postings out there that this might not be the best design. Is it possible that's why this isn't working? Any suggestions or help in a step-by-step configuration for this would be great. I haven't seen anything that is exactly how my setup is and have tried all and still not working.
Microsoft Forefront ISA ServerExchange

Avatar of undefined
Last Comment
Keith Alabaster

8/22/2022 - Mon

You can't just "install TMG".  TMG was designed as a direct replacement for products such as ASA.   Introducing a TMG introduces a Topology re-design that has to be planned and accounted for.

Now in the case of a single-nic TMG, which is pretty much worthless and a waste of money considering what the product costs,...the only thing you are going to do with it is Web Caching for outbound Web Requests from the Users.   It is not going to be involved in anything else,...nothing else it going to be involved with it,...nothing else is going to know it is even there,...of even care that it is there.  

Basically it is just totally irrelevant,...and even the users can avoid it by removing their browser's proxy setting.  It cannot be used by anything at Layers 3 & 4,...and you cannot use it for anything based on Winsock,...and the Winsock Client (TMG Client) will not and cannot be used.
Keith Alabaster

<I haven't seen anything that is exactly how my setup is and have tried all and still not working.>

That's a worry.... please provide a diagram of what you DO have.

<I haven't seen anything that is exactly how my setup is and have tried all and still not working.>

At the risk of sounding blunt,....that would imply then that you did it wrong.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Rick Goodman

Yeah, I guess I did do it wrong. I was originally told if I'm going to use ActiveSync and OWA without having to use VPN that I should have an Edge Transport server so I don't have a public facing server with a full version of AD on it, such as my CAS/HT servers. Then I found out that ActiveSync and OWA won't connect to the Edge, they need to connect to a CAS, and in order to avoid having your CAS public facing, you install TMG on the Edge. So it's been a step-by-step learning process.

The Edge worked fine in the DMZ with a single NIC but, as I mentioned, that didn't solve my ActiveSync and OWA issues. So I added TMG, which does have an option in the setup for a single NIC, but I see now that's not what I need. I opened a case with MS and they said a single NIC wasn't supported with what I'm doing so he cancelled that call. But he told me to use 2 NICs and use the use the Edge topology template in TMG because it would be easier to configure that way.

I have added a 2nd NIC on the Edge/TMG server and have configured it with an IP Address from my LAN ( and connected it to my LAN switch without configuring a default gateway or DNS servers. I also unchecked the register in DNS setting so it doesn't register. I've configured the other NIC with a DMZ IP Address ( and set the default gateway to the DMZ interface on my Cisco ASA and public DNS servers. Am I on the right path? Does this setup make sense?
Keith Alabaster

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Rick Goodman

Thanks. I did get it setup and kind of working. I have had some successful EdgeSyncs, however, for every successful one I have I seem to find a whole slew of them when I query the logs that are being denied connection by the default firewall policy. Yet a short time later it will show it checked the LDAPS policy and allowed it, and then go back to failing. I opened a case with MS to help figure it out. But I do seem to have user info when I query LDAP on the Edge now. I just want to see the errors go away before NATing my email traffic through this server. This was a little more than I was expecting, but I'm learning a lot, which is always good.
Keith Alabaster

Run up the best practice analyser and see what you get.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.