[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Threat Management Gateway Configuration

Posted on 2012-03-14
7
Medium Priority
?
744 Views
Last Modified: 2012-03-21
Current configuration -
1 Cisco ASA with 3 interfaces configured, 1 - Internet, 1 - LAN, and 1 - DMZ
1 Edge Transport server connected to the DMZ
2 CAS/HT in a CAS Array with MS NLB connected to  the LAN
2 Mailbox servers connected to the LAN with failover clustering

I have created an Edge Subscription and the Test-EdgeSynchronization all worked and mail passes from the Internet through the Edge server and to the HTs, and of course then to the Mailbox servers. My problem is that when I install TMG, the EdgeSync fails, unable to connect to LDAP server. So it's for sure something with TMG. I had it set up with a single NIC and am seeing some postings out there that this might not be the best design. Is it possible that's why this isn't working? Any suggestions or help in a step-by-step configuration for this would be great. I haven't seen anything that is exactly how my setup is and have tried all and still not working.
0
Comment
Question by:rsgdmn
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 29

Expert Comment

by:pwindell
ID: 37724845
You can't just "install TMG".  TMG was designed as a direct replacement for products such as ASA.   Introducing a TMG introduces a Topology re-design that has to be planned and accounted for.

Now in the case of a single-nic TMG, which is pretty much worthless and a waste of money considering what the product costs,...the only thing you are going to do with it is Web Caching for outbound Web Requests from the Users.   It is not going to be involved in anything else,...nothing else it going to be involved with it,...nothing else is going to know it is even there,...of even care that it is there.  

Basically it is just totally irrelevant,...and even the users can avoid it by removing their browser's proxy setting.  It cannot be used by anything at Layers 3 & 4,...and you cannot use it for anything based on Winsock,...and the Winsock Client (TMG Client) will not and cannot be used.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37728110
<I haven't seen anything that is exactly how my setup is and have tried all and still not working.>

That's a worry.... please provide a diagram of what you DO have.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 37729841
<I haven't seen anything that is exactly how my setup is and have tried all and still not working.>

At the risk of sounding blunt,....that would imply then that you did it wrong.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:rsgdmn
ID: 37730047
Yeah, I guess I did do it wrong. I was originally told if I'm going to use ActiveSync and OWA without having to use VPN that I should have an Edge Transport server so I don't have a public facing server with a full version of AD on it, such as my CAS/HT servers. Then I found out that ActiveSync and OWA won't connect to the Edge, they need to connect to a CAS, and in order to avoid having your CAS public facing, you install TMG on the Edge. So it's been a step-by-step learning process.

The Edge worked fine in the DMZ with a single NIC but, as I mentioned, that didn't solve my ActiveSync and OWA issues. So I added TMG, which does have an option in the setup for a single NIC, but I see now that's not what I need. I opened a case with MS and they said a single NIC wasn't supported with what I'm doing so he cancelled that call. But he told me to use 2 NICs and use the use the Edge topology template in TMG because it would be easier to configure that way.

I have added a 2nd NIC on the Edge/TMG server and have configured it with an IP Address from my LAN (172.16.106.109) and connected it to my LAN switch without configuring a default gateway or DNS servers. I also unchecked the register in DNS setting so it doesn't register. I've configured the other NIC with a DMZ IP Address (10.10.105.101) and set the default gateway to the DMZ interface on my Cisco ASA and public DNS servers. Am I on the right path? Does this setup make sense?
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 2000 total points
ID: 37730225
Not quite.

The internal nic should not have a default gateway but MUST have DNS ebtries - these entries should point to your INTERNAL dns servers on the LAN. The external nic DOES have a default gateway but BLANK dns entries. Botton line, TMG looks inward for dns resolution - when it needs to know about outside stuff it asks the internal dns servers to resolve the addresses.
0
 

Author Comment

by:rsgdmn
ID: 37743579
Thanks. I did get it setup and kind of working. I have had some successful EdgeSyncs, however, for every successful one I have I seem to find a whole slew of them when I query the logs that are being denied connection by the default firewall policy. Yet a short time later it will show it checked the LDAPS policy and allowed it, and then go back to failing. I opened a case with MS to help figure it out. But I do seem to have user info when I query LDAP on the Edge now. I just want to see the errors go away before NATing my email traffic through this server. This was a little more than I was expecting, but I'm learning a lot, which is always good.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37743876
Run up the best practice analyser and see what you get.
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
Here in this article, you will get a step by step guidance on how to restore an Exchange database to a recovery database. Get a brief on Recovery Database and how it can be used to restore Exchange database in this section!
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question