Different authentication for internal and external access through TMG 2010

Patrick Elsen
Patrick Elsen used Ask the Experts™
Suppose you need to publish some sites both internally and externally using TMG 2010...

When a user is "internal" (connected to the LAN), we do not want users to enter extra authentication to access the site as they are already logged in using their active directory account.

When the same user is "external" (coming in through the internet - we have a hardware firewall in front of the TMG), we want the users to enter their userid/password before being admitted to the same site.

Is this is configuration that can be setup with TMG 2010? How should this be done?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Kini pradeepDevelopment Manager

1. Is the TMG a part of a workgroup or added to an AD domain ?
The servers are a Part of the LAN and since the users Authenticate against the AD, you donot need additional user/password for authentication, but when the users accesses the applications / websites the user should use the AD user name/ pwd? correct me if wrong.

You will need to register the application on the public DNS and map it to the public IP.
If TMG is the perimeter firewall then assign the public IP on external interface and create a web publishing rule.
Most Valuable Expert 2011
Internal users DO NOT GO though  the TMG to get to the site,...only the External Users go through the TMG.

You need to setup Split-DNS.  Split-DNS is a "must" for any properly built LAN,...it is not an "option" that you can "blow off".

Split DNS makes sure that when users go to the URL of your web site that it resolves to the Private Direct IP# of the Web Site where it physically sits on your LAN.

You should also be using WPAD for proxy auto-detection and should also run the Firewall Client on all Workstations and Laptops.  Not doing so will allow unexpected behavor from the clients at times,...such as trying to use the proxy when they should not,...or trying to authenticate with a proxy when they should not be trying to do so.  Both of those are flaws in IE and using WPAD side-steps those flaws.


Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial