?
Solved

Forefront TMG

Posted on 2012-03-21
9
Medium Priority
?
745 Views
Last Modified: 2012-08-14
What advantages are there to having TMG 2010 and Edge Transport on the same physical server, other than hardware costs? Is it OK to have them on separate physical servers? And if so, do you still keep both of them in the DMZ? And should they both be left in a workgroup or should either or both be a domain member? Any help would be aprreciated.
0
Comment
Question by:rsgdmn
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
9 Comments
 
LVL 7

Expert Comment

by:Rammestein
ID: 37748966
TMG should be in a domain and Edge should be in a workgroup.
I will suggest this topology:

Exchange->Edge->TMG

This should work good for you!
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37750132
Both should be in the domain and on the same box. There are numerous reasons for this:

Hardware costs, additional OS license, need to open additional ports in TMG to allow any DMZ-based servers through to the internal domain, addiotnal admin overhead etc to name but a few.

The postives of putting the Edge on the TMG box also include allowing you to keep all of the Exchange services securely tucked behind the TMG, you get the protection systems inherent with TMG to protect the OWA services, activesync and the like for publishing out to your users and finally you can use the mail policies - specifically geared for Exchange - theat TMG provides... and that you have paid for in the license.

No brainer.
0
 

Author Comment

by:rsgdmn
ID: 37750258
That's actually what I tried first but I had so many problems with some of the tmg services hanging and locking up the server it got to be a headache rebooting the server being it's the only Edge server I have so it interrupts email and really scares me to have that many problems on my mail server. This way the worst thatbhappens if tmg acts up is users Have to connect to the VPN to get mail until i fix it. That's why I'm looking at keeping them separate, but I do still plan on publishing ActiveSync and OWA with it. Is that not possible with them being on different boxes, or is it still possible? Does that make sense or do you still think it's smarter to keep them together. What are other peoples thoughts on this? Just curious. Thanks.
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37751305
Always right to seek multiple views and everyone's requirements will be different.

75% of getting this right is undertaken before you have installed a single product (apart from the OS). For example, getting the DNS correct, the bind order of the network cards, the static routes, default gateway etc.

Once the OS is fully configured and joined to the domain, you install the Exchange services and finally you install TMG.

Having them separate is no real issue but I have answered based on your question - what are the advantages. Both will work but integrated is by far the preferred approach for the reasons given.

Keith
0
 

Author Comment

by:rsgdmn
ID: 37751999
Keith,

So you would recommend they both ar einstalled ont he same machine and a memeber of the domain? What I had before was a workgroup server with both. But maybe that's what complicated it. Although, most of what I saw states that Exchange Edge shouldn't be on a domain server. But I do know you deal a lot with this kind of stuff so I definately respect your opinion. Maybe I should try it again as a domain member. I'll run it by our IT Director. Thanks.
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 2000 total points
ID: 37752387
MS best practice, the installation setup guide, the exam I had to take to become a Microsoft Certified Trainer for the product and my experience as an MVP for both ISA and TMG for many years all state that the preferred approach is on a single unit (or array of TMG units) after joining the domain.

You're correct about the domain and the edge being different in a normal scenario - however, this is not a normal installation where you have a mish-mash of security devices and software. In this case you have bought one of the best firewall, proxy server and application gateway that money can buy - one which was built from scratch to include the Exchange 2010 edge service whilst allowing the Exchange to be on a domain box.

As I mention above, by using this approach you minimise the number of ports that need to be opened on the TMG to allow traffic to pass from a workgroup server to the internal network and this is a huge plus in anyones security brief.

Keith
0
 

Author Comment

by:rsgdmn
ID: 37753178
I'm going try it like that.
0
 

Author Comment

by:rsgdmn
ID: 37753933
Thanks. It's working great now.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37767022
Welcome :)
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses
Course of the Month14 days, 5 hours left to enroll

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question