Solved

Threat Management Gateway Configuration

Posted on 2012-03-14
7
705 Views
Last Modified: 2012-03-21
Current configuration -
1 Cisco ASA with 3 interfaces configured, 1 - Internet, 1 - LAN, and 1 - DMZ
1 Edge Transport server connected to the DMZ
2 CAS/HT in a CAS Array with MS NLB connected to  the LAN
2 Mailbox servers connected to the LAN with failover clustering

I have created an Edge Subscription and the Test-EdgeSynchronization all worked and mail passes from the Internet through the Edge server and to the HTs, and of course then to the Mailbox servers. My problem is that when I install TMG, the EdgeSync fails, unable to connect to LDAP server. So it's for sure something with TMG. I had it set up with a single NIC and am seeing some postings out there that this might not be the best design. Is it possible that's why this isn't working? Any suggestions or help in a step-by-step configuration for this would be great. I haven't seen anything that is exactly how my setup is and have tried all and still not working.
0
Comment
Question by:rsgdmn
  • 3
  • 2
  • 2
7 Comments
 
LVL 29

Expert Comment

by:pwindell
ID: 37724845
You can't just "install TMG".  TMG was designed as a direct replacement for products such as ASA.   Introducing a TMG introduces a Topology re-design that has to be planned and accounted for.

Now in the case of a single-nic TMG, which is pretty much worthless and a waste of money considering what the product costs,...the only thing you are going to do with it is Web Caching for outbound Web Requests from the Users.   It is not going to be involved in anything else,...nothing else it going to be involved with it,...nothing else is going to know it is even there,...of even care that it is there.  

Basically it is just totally irrelevant,...and even the users can avoid it by removing their browser's proxy setting.  It cannot be used by anything at Layers 3 & 4,...and you cannot use it for anything based on Winsock,...and the Winsock Client (TMG Client) will not and cannot be used.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37728110
<I haven't seen anything that is exactly how my setup is and have tried all and still not working.>

That's a worry.... please provide a diagram of what you DO have.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 37729841
<I haven't seen anything that is exactly how my setup is and have tried all and still not working.>

At the risk of sounding blunt,....that would imply then that you did it wrong.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:rsgdmn
ID: 37730047
Yeah, I guess I did do it wrong. I was originally told if I'm going to use ActiveSync and OWA without having to use VPN that I should have an Edge Transport server so I don't have a public facing server with a full version of AD on it, such as my CAS/HT servers. Then I found out that ActiveSync and OWA won't connect to the Edge, they need to connect to a CAS, and in order to avoid having your CAS public facing, you install TMG on the Edge. So it's been a step-by-step learning process.

The Edge worked fine in the DMZ with a single NIC but, as I mentioned, that didn't solve my ActiveSync and OWA issues. So I added TMG, which does have an option in the setup for a single NIC, but I see now that's not what I need. I opened a case with MS and they said a single NIC wasn't supported with what I'm doing so he cancelled that call. But he told me to use 2 NICs and use the use the Edge topology template in TMG because it would be easier to configure that way.

I have added a 2nd NIC on the Edge/TMG server and have configured it with an IP Address from my LAN (172.16.106.109) and connected it to my LAN switch without configuring a default gateway or DNS servers. I also unchecked the register in DNS setting so it doesn't register. I've configured the other NIC with a DMZ IP Address (10.10.105.101) and set the default gateway to the DMZ interface on my Cisco ASA and public DNS servers. Am I on the right path? Does this setup make sense?
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 37730225
Not quite.

The internal nic should not have a default gateway but MUST have DNS ebtries - these entries should point to your INTERNAL dns servers on the LAN. The external nic DOES have a default gateway but BLANK dns entries. Botton line, TMG looks inward for dns resolution - when it needs to know about outside stuff it asks the internal dns servers to resolve the addresses.
0
 

Author Comment

by:rsgdmn
ID: 37743579
Thanks. I did get it setup and kind of working. I have had some successful EdgeSyncs, however, for every successful one I have I seem to find a whole slew of them when I query the logs that are being denied connection by the default firewall policy. Yet a short time later it will show it checked the LDAPS policy and allowed it, and then go back to failing. I opened a case with MS to help figure it out. But I do seem to have user info when I query LDAP on the Edge now. I just want to see the errors go away before NATing my email traffic through this server. This was a little more than I was expecting, but I'm learning a lot, which is always good.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37743876
Run up the best practice analyser and see what you get.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now