Forefront Threat Management Gateway 2010 Enterprise - Step by Step

I have ask for help on another question awhile back but got pulled away from the project now I am refereshing my memory and need help. I need help with figuring out first the ACTIVE Directory Roles and forest /domains on setup of Forefront Threat Management Gateway Firewall.

(((First yes I know TMG 2010 has been deprecated but it is all I have to work with due to budget constraints)))

I have 2 servers, 2 PC's and the wireless router for laptops / iphones for the Internal LAN.

I have 3 servers hosting: Lync, Share Team and most importantly Exchange. which are kind the outside. External LAN

All need to be behind the firewall:

There all on the same subnet Internally - They all have the ability of external IP address on NIC2 which of course is leaving them wide open to the world so They are disabled and used for testing only.

Just to restate the setup:  

Firewall:  MS forefront TMG 2010 on Windows 2008 R2 with 2 NICS

What is behind the firewall;

Server001: MS Server 2012 / Exchange 2013 / Domain Controller: Geek001
Server002: MS Server 2012/ Lync 2013 / Domain Controller: Geek002
Server003: MS Server 2012/ Share Team 2013 / Domain Controller: Geek003

Server004: MS Server 2012/ Web Only IIS8.0 / Domain Controller: Geek004
Server005: MS Server 2012/ Office Server / Domain Controller: Geek005

PC's, Laptop's, and other devices...

Since I don't want it in Work Group Mode and it needs to be added to a domain controller:
I have to have a domain controller for it to attach to:  I need to figure out the forest domain structure for the external - Internally I understand but this will make it a 2 part questions in setting up domains in the same forest with different domains so they have 2 way trusts?

I need help with the understand of getting the TMG 2010 FW installed and up and running so there is more protection in house right now I am embarrassed to say!!!

So I am guessing I am guessing I will have to make TMG part of Geek005 domain but how it affect the other domains and other users... Other servers will all be web based access and the PC's will be tied to the Geek005 server??

I need to start the install of TMG because its not secured here and I need the NAT of the 5 static IP address to be sent Thur the firewall... Is Share Team 2013 work OK with TMG 2010???  I am needing the TMG 2010 to be friendly with Share Team, Lync and Exchange all running 2013 software,

PS:  I know setting up DMZ with second TMG 2010 but I also will have to make some machine do dual roles...

Thanks for any and all help...
Clint JonesAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
just thinking the issue is how will TMG works across different domain or multi-forest environment, and itself is having joined one of the domain.

MS recommends  as a general best practice for such edge deployments, it is normally recommended that you install Forefront TMG in a separate forest (rather than in the internal forest of your corporate network), with a one-way trust to the corporate forest. However, you can configure client certificate authentication only for users defined in the Forefront TMG domain, and not for users in the corporate internal domain or forest, which makes this solution impracticable for use in a hybrid environment.

This forum talks something close to this
ADFS 2.0 Deployment - Proxy for Multiple Independent Forests

Another of sort

Even if you cannot join the TMG firewall to your existing resource domain, consider creating a subdomain dedicated to the TMG firewalls and leveraging read-only domain controllers (RODC). You could even go so far as to create a separate forest to support domain-joined TMG firewalls and establish a one-way trust with your existing forest.

Workgroup and domain considerations

Useful info
- Deployment checklist @
- Overall TMG deployment @
- Tutorials @

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
Separately for setting one way forest trust or in general accessing Resources across forest , this may come in handy as ref
Clint JonesAuthor Commented:
Thank You Breadtan looking over everything now...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.