• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 746
  • Last Modified:

Threat Management Gateway Configuration

Current configuration -
1 Cisco ASA with 3 interfaces configured, 1 - Internet, 1 - LAN, and 1 - DMZ
1 Edge Transport server connected to the DMZ
2 CAS/HT in a CAS Array with MS NLB connected to  the LAN
2 Mailbox servers connected to the LAN with failover clustering

I have created an Edge Subscription and the Test-EdgeSynchronization all worked and mail passes from the Internet through the Edge server and to the HTs, and of course then to the Mailbox servers. My problem is that when I install TMG, the EdgeSync fails, unable to connect to LDAP server. So it's for sure something with TMG. I had it set up with a single NIC and am seeing some postings out there that this might not be the best design. Is it possible that's why this isn't working? Any suggestions or help in a step-by-step configuration for this would be great. I haven't seen anything that is exactly how my setup is and have tried all and still not working.
0
rsgdmn
Asked:
rsgdmn
  • 3
  • 2
  • 2
1 Solution
 
pwindellCommented:
You can't just "install TMG".  TMG was designed as a direct replacement for products such as ASA.   Introducing a TMG introduces a Topology re-design that has to be planned and accounted for.

Now in the case of a single-nic TMG, which is pretty much worthless and a waste of money considering what the product costs,...the only thing you are going to do with it is Web Caching for outbound Web Requests from the Users.   It is not going to be involved in anything else,...nothing else it going to be involved with it,...nothing else is going to know it is even there,...of even care that it is there.  

Basically it is just totally irrelevant,...and even the users can avoid it by removing their browser's proxy setting.  It cannot be used by anything at Layers 3 & 4,...and you cannot use it for anything based on Winsock,...and the Winsock Client (TMG Client) will not and cannot be used.
0
 
Keith AlabasterCommented:
<I haven't seen anything that is exactly how my setup is and have tried all and still not working.>

That's a worry.... please provide a diagram of what you DO have.
0
 
pwindellCommented:
<I haven't seen anything that is exactly how my setup is and have tried all and still not working.>

At the risk of sounding blunt,....that would imply then that you did it wrong.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
rsgdmnAuthor Commented:
Yeah, I guess I did do it wrong. I was originally told if I'm going to use ActiveSync and OWA without having to use VPN that I should have an Edge Transport server so I don't have a public facing server with a full version of AD on it, such as my CAS/HT servers. Then I found out that ActiveSync and OWA won't connect to the Edge, they need to connect to a CAS, and in order to avoid having your CAS public facing, you install TMG on the Edge. So it's been a step-by-step learning process.

The Edge worked fine in the DMZ with a single NIC but, as I mentioned, that didn't solve my ActiveSync and OWA issues. So I added TMG, which does have an option in the setup for a single NIC, but I see now that's not what I need. I opened a case with MS and they said a single NIC wasn't supported with what I'm doing so he cancelled that call. But he told me to use 2 NICs and use the use the Edge topology template in TMG because it would be easier to configure that way.

I have added a 2nd NIC on the Edge/TMG server and have configured it with an IP Address from my LAN (172.16.106.109) and connected it to my LAN switch without configuring a default gateway or DNS servers. I also unchecked the register in DNS setting so it doesn't register. I've configured the other NIC with a DMZ IP Address (10.10.105.101) and set the default gateway to the DMZ interface on my Cisco ASA and public DNS servers. Am I on the right path? Does this setup make sense?
0
 
Keith AlabasterCommented:
Not quite.

The internal nic should not have a default gateway but MUST have DNS ebtries - these entries should point to your INTERNAL dns servers on the LAN. The external nic DOES have a default gateway but BLANK dns entries. Botton line, TMG looks inward for dns resolution - when it needs to know about outside stuff it asks the internal dns servers to resolve the addresses.
0
 
rsgdmnAuthor Commented:
Thanks. I did get it setup and kind of working. I have had some successful EdgeSyncs, however, for every successful one I have I seem to find a whole slew of them when I query the logs that are being denied connection by the default firewall policy. Yet a short time later it will show it checked the LDAPS policy and allowed it, and then go back to failing. I opened a case with MS to help figure it out. But I do seem to have user info when I query LDAP on the Edge now. I just want to see the errors go away before NATing my email traffic through this server. This was a little more than I was expecting, but I'm learning a lot, which is always good.
0
 
Keith AlabasterCommented:
Run up the best practice analyser and see what you get.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 3
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now