Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Creating a DMZ on TMG 2010

Posted on 2012-03-26
3
Medium Priority
?
2,681 Views
Last Modified: 2012-08-14
We are planning to host an Ubunto BigBlueButton web-conferencing server on our network.
 To make it more secure, I am planning to create a DMZ on TMG 2010 and place it in there before publishing it to the internet.
 
I have a virtualised TEST environment (Hyper-V) and have so far:
 * added a new NIC (DMZ)
 * using the wizard, created a three leg perimeter network
 * gave the DMZ a new subnet address
 * added a new access rule to allow DNS, NTP and other protocols to pass between the    
    DMZ and internal network > I chose to route traffice between the two networks
 * added a web-server to the DMZ
 * connected the physical Internal NIC and the DMZ NIC to a small switch (I will create a
    virtual connection later)
 
 
Here is some IP address information:
 Internal network (LAN):192.168.51.0
 DMZ: 192.168.52.0
 Web-server inside the DMZ: 192.168.52.1 (DNS: 192.168.51.1)
 

Questions:
 1) The web-server is now completely isolated; it cannot access the internet or even ping the DMZ NIC (192.168.52.254) - what other rules do I need to setup for the DMZ so that the web-server is accessible from both the internal network and the internet?
 2) As I understand it the access rule shouldn't be bi-directional; only the internal network should have (full ?) access to the web-server. However, aren't TMG rules bi-directional?
 3) Should traffice between the DMZ and internal networks be routed or NAT'd?
 4) Should I point the wen-servers IP address to a public IP address or keep the private DMZ IP address (192.168.52.1)?
 5) What should the gateway be on the web-server? I have pointed it to the address of the TMG server (192.168.51.254).
 

Many thanks!
0
Comment
Question by:mark-199
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 2000 total points
ID: 37767501
1. You tell me - what do you want it to do

2. Wrong. If the relationship is route (rather than NAT) only outbound and return traffic is allowed back to the initiating system. If traffic needs to be initiated from either element then traffic must be specifically allowed in both directions.

3. Route is best for internal to DMZ
From dmz to extrnal should be NAT
From internal to external should be NAT

4. Web server should be private IP. The external firewall/router will be responsible for forwarding traffic to the TMG external nic. On TMG you will have published the service and in the publishing ruule you will provide the internal ip address of the dmz server.

5. gw of dmz server will be dmz ip address of TMG
0
 

Author Closing Comment

by:mark-199
ID: 37795575
Thank you for your reply- this has helped me understand things better.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37795597
Welcome :)
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip is around source server preparation. No migration is an easy migration, there is a…
Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Suggested Courses

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question