How to configure network design for TMG vm publishing exchange web services?

Posted on 2012-09-19
Last Modified: 2012-10-03
I would like to publish all of exchange web services(autodiscover, owa, outlook anywhere, activesync) to the internet.  -NOT SMTP that is handled seperately from our filtering service.

We currently have an exchange 2010 single server environment with HT,CAS,MBX installed.

Can I create a TMG2010 VM with a SINGLE virtual NIC joined to the domain on my internal network to handle publishing of Exchange Web Services?  Would I just punch holes in the cisco asa firewall and create a NAT on the cisco ASA for HTTP and HTTPS to redirect from external IP for to the internet IP of the single NIC TMG or is this configuration unsupported or unsecure?

I am trying to avoid have 2 nics on the TMG since the TMG will be a vmware esxi5 and it will be much easier to configure the TMG VM with a single NIC on a single network.  It APPEARS(I could be wrong) that I only need a single NIC on the internal network to publish exchange but I wanted to get more feedback in case I am misunderstanding something.

Looking at this link it appears this is a supported configuration but I want to make sure I am not missing anything and I didn't see autodiscover listed:

You can publish Web servers and Outlook Web Access servers over HTTP or HTTPS. You can authenticate incoming requests and chain requests to upstream proxies. When you publish Outlook Web Access on a single network adapter computer, the following Outlook Web Access features are available:

Standard Outlook Web Access features such as sending and receiving e-mail, calendars, and other features
Exchange Outlook Mobile Access, ActiveSync, and Outlook RPC over HTTP
Forms-based authentication
Question by:NBF
    LVL 37

    Expert Comment

    by:Jamie McKillop

    Yes, as long as you are only publishing web-based services, you only need a single NIC in TMG.

    LVL 35

    Expert Comment

    I agree with JJ, single NIC TMG is enoght for Exchange, just forward the ports from ASA to TMG.
    Autodiscover is published via the Outlook Anywhere rule, if created.
    All Exchange rules are Web Publishing rules.

    Nevertheless I don't like single NIC TMG.
    To use it as Web Proxy too or for other MS Products is not so far away, and some function doesn't really word with a single NIC TMG.

    Author Comment

    Thanks guys for your input!  There will not be a possibility of using this for other services other than exchange.

    Does the single NIC need to be on a DMZ segment or can it be on the internal production network with just the ports forwarded on the Cisco ASA?

    Having 1 vNIC gives us the ability to vMotion this TMG VM around and also replicate it to our DR hot site which is on a different subnet.  In  DR situation I could fail over to that VM and make just a couple adjustments to the firewall rule port forwarding and the rules in TMG(since the IP address will change at DR site) and be back up and running. I like this simplistic approach.  Having a complex vNIC design like dedicated pNICs or VLAN's etc would add a lot more work to this configuration and not allow us to fail over so easily to the DR site.

    I will leave this question open for a few more days in case anyone else wants to add any input or disagrees.  If no more comments I will accept your guys posts as solution.  Thanks again for your input.
    LVL 35

    Accepted Solution

    > There will not be a possibility of ...
    You forward all HTTP / HTTPS traffic to TMG, that means, if you want to publish something else, you need a second IP.  

    Does the single NIC need to be on a DMZ....
    TMG in this constellation work just as reverse proxy, so it has no firewall or other filter functionality. This is the job ob the ASA. As the ASA allows only HTTP / HTTPS, TMG handles the link translation and maybe access security / authentication.
    This maybe the reason to put it into a DMZ, but then you have additionally make sure, that the TMG has at least LDAP access to the AD and also it has to access the web services on Exchange.

    > Having 1 vNIC gives us the ability
    If it fulfills your needs, yes.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
    Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
    In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
    In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now