• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1077
  • Last Modified:

How to configure network design for TMG vm publishing exchange web services?

I would like to publish all of exchange web services(autodiscover, owa, outlook anywhere, activesync) to the internet.  -NOT SMTP that is handled seperately from our filtering service.

We currently have an exchange 2010 single server environment with HT,CAS,MBX installed.

Can I create a TMG2010 VM with a SINGLE virtual NIC joined to the domain on my internal network to handle publishing of Exchange Web Services?  Would I just punch holes in the cisco asa firewall and create a NAT on the cisco ASA for HTTP and HTTPS to redirect from external IP for mail.domain.com to the internet IP of the single NIC TMG or is this configuration unsupported or unsecure?

I am trying to avoid have 2 nics on the TMG since the TMG will be a vmware esxi5 and it will be much easier to configure the TMG VM with a single NIC on a single network.  It APPEARS(I could be wrong) that I only need a single NIC on the internal network to publish exchange but I wanted to get more feedback in case I am misunderstanding something.

Looking at this link it appears this is a supported configuration but I want to make sure I am not missing anything and I didn't see autodiscover listed:  http://technet.microsoft.com/en-us/library/cc995236.aspx

You can publish Web servers and Outlook Web Access servers over HTTP or HTTPS. You can authenticate incoming requests and chain requests to upstream proxies. When you publish Outlook Web Access on a single network adapter computer, the following Outlook Web Access features are available:

Standard Outlook Web Access features such as sending and receiving e-mail, calendars, and other features
Exchange Outlook Mobile Access, ActiveSync, and Outlook RPC over HTTP
Forms-based authentication
  • 2
1 Solution
Jamie McKillopIT ManagerCommented:

Yes, as long as you are only publishing web-based services, you only need a single NIC in TMG.

I agree with JJ, single NIC TMG is enoght for Exchange, just forward the ports from ASA to TMG.
Autodiscover is published via the Outlook Anywhere rule, if created.
All Exchange rules are Web Publishing rules.

Nevertheless I don't like single NIC TMG.
To use it as Web Proxy too or for other MS Products is not so far away, and some function doesn't really word with a single NIC TMG.
NBFAuthor Commented:
Thanks guys for your input!  There will not be a possibility of using this for other services other than exchange.

Does the single NIC need to be on a DMZ segment or can it be on the internal production network with just the ports forwarded on the Cisco ASA?

Having 1 vNIC gives us the ability to vMotion this TMG VM around and also replicate it to our DR hot site which is on a different subnet.  In  DR situation I could fail over to that VM and make just a couple adjustments to the firewall rule port forwarding and the rules in TMG(since the IP address will change at DR site) and be back up and running. I like this simplistic approach.  Having a complex vNIC design like dedicated pNICs or VLAN's etc would add a lot more work to this configuration and not allow us to fail over so easily to the DR site.

I will leave this question open for a few more days in case anyone else wants to add any input or disagrees.  If no more comments I will accept your guys posts as solution.  Thanks again for your input.
> There will not be a possibility of ...
You forward all HTTP / HTTPS traffic to TMG, that means, if you want to publish something else, you need a second IP.  

Does the single NIC need to be on a DMZ....
TMG in this constellation work just as reverse proxy, so it has no firewall or other filter functionality. This is the job ob the ASA. As the ASA allows only HTTP / HTTPS, TMG handles the link translation and maybe access security / authentication.
This maybe the reason to put it into a DMZ, but then you have additionally make sure, that the TMG has at least LDAP access to the AD and also it has to access the web services on Exchange.

> Having 1 vNIC gives us the ability
If it fulfills your needs, yes.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now