Solved

Single NIC for http web publish rule - TMG

Posted on 2015-01-13
2
255 Views
Last Modified: 2015-02-11
Hi discussion at work.

I suggest just 1 NIC for TMG  in DMZ is the most secure - We have an ASA firewall

Im been told that its more secure with 2 x NICs  - 1 dmz and 1 internal (im presuming internal means that (internal LAN) - then a NAT on the TMG

How is this more secure - is not "MORE" secure with just 1 NIC in the DMZ? - then publishing rule proxies the connection to inside LAN?
0
Comment
Question by:philb19
2 Comments
 
LVL 28

Assisted Solution

by:asavener
asavener earned 250 total points
ID: 40547290
I'm not sure exactly what your setup is, or how you're trying to leverage the TMG server.  Can you provide a diagram?

Is the "DMZ" just an interface off of the ASA, and you also have an inside and an outside interface?

Internet
   |
ASA--DMZ
   |
Inside


Traditionally, I had the ISA/TMG server as a second firewall:

Internet
   |
ASA
   |
DMZ  (Considered the "inside" interface on the ASA)
   |
TMG
   |
Inside

IMO, the second topology provides additional security, because any internet traffic has to traverse two different firewall platforms to reach the inside network.  You also get to use the TMG as a proxy server for your internal clients.
0
 
LVL 23

Accepted Solution

by:
Suliman Abu Kharroub earned 250 total points
ID: 40580918
You can't use TMG as a firewall with a single NIC, only proxy server.... so 2 NICs is more secure.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
A company’s greatest vulnerability is their email. CEO fraud, ransomware and spear phishing attacks are the no1 threat to a company’s security. Cybercrime is responsible for the largest loss of money to companies today with losses projected to r…

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now