restrict the communication between the TMG servers and the domain controllers

ACS2012
ACS2012 used Ask the Experts™
on
Dear All,

I’m planning to install TMG 2010 servers standalone array in our DMZ and we will join it to our domain, in the internal network we have 6 windows 2008 R2 domain controllers, I’m looking for a way to restrict the communication between the TMG servers and the domain controllers so TMG servers will only communicate two selected domain controllers, not all DC’s, that’s required by the security and network departments.
Can I do that?

Please help.

Thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Yes, you can do that by going to system config and in the domain area allow communication to only the required  IPs, but in the real sense you cannot block the authentication of TMG if TMG is requesting the domain for authentication or any policy if the domain controllers are sending the requesting policies then it can be from any domain controller as domain controllers do not work independently.

Author

Commented:
hi Bawer,

thanks for your reply.

could you please provide me more information like how to do that from the system config? and do i have to make it in TMG  or DC's?

regarding the "you cannot block the authentication of TMG if TMG is requesting the domain for authentication ", what if i colse this by the network so the TMG can communicate two of the domain controllers only?
Commented:
Apart from the advantages and disadvantages, you can configure it by editing the System Policy of TMG.

By default Internal Network is listed in the "Active Directory" option of "Authentication Services" Configuration Group.

You can remove "Internal" from "To" tab and can add your custom Computer Set object that will be contain your desired Domain Controllers.
How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples

Author

Commented:
that's from TMG, how i can make it also from windows? i need to restrict everything, windows and TMG.

Commented:
When you installs TMG then Windows Firewall control was taken by TMG.  Whatever you control from TMG is also work for Windows as well.
Most Valuable Expert 2011
Commented:
MS already knows what they are doing with that.  All communication to/from the LAN (and DC) is already minimalized if you just leave it alone.   You join the machines to the Domain first,...then install TMG,...it will automatically detect that it is a Domain Member and will build the correct System Policies To/From the LAN required for AD Membership.  The interaction between the TMG and the DC occurs over the System Policies,...NOT the Firewall Policies.  By default,...out of the box,...there are zero policies,...(read "no traffic allowed"),...between the Internal LAN  and the TMG itself,..nor the Internet,...and it will work with AD just fine via the System Policies.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial