Hello. I read with interest: http://social.technet.microsoft.com/Forums/en-US/Forefrontedgegeneral/thread/ae90b6d9-288a-4a26-86b2-ce9f810ad2a5
We would like to do something very similar - to separate some internal VLANs from others using TMG. Sometimes I find this a bit confusing because the vast majority of TMG guidance and comment is written on the assumption that TMG has an internet gateway on one side and a LAN on the other. What we are doing will be internal (visiting wireless devices) separated from internal (domain devices)
When I think about TMG and topology two concepts spring to mind.
1) Edge, back end, 3 leg perimeter, etc. In other words TMG template topologies.
2) Pure networking topologies involving arrangements of routers, core switches, edge switches, VLAN configuration.
What I would like help with is how 1) and 2) fit together.
We have the router at our front end, then we have a layer 3 core switch, then the edge switches. Pretty much all on the same subnet at the moment.
If I create a VLAN 2 for visiting wireless devices, and use the layer 3 core switch to create that VLAN, where does my TMG server go? It wouldn't go between the switch and the WAPs would it, because the VLAN 2 is configured on the switch and I want the switch to handle the VLAN routing? But if the TMG server goes between the core switch and the router it will have to be configured to handle requests from the whole network, which we don't necessarily want (yet).
Is the solution to put the TMG server on another VLAN, eg VLAN 3? I think it might be, but then I get confused. If visiting wireless (VLAN 2) internet requests will come into the core switch, what's to stop that traffic being passed straight up to the router and out the door? How do I force the VLAN 2 traffic to go via TMG on VLAN 3? I'm guessing that would be to do with how I configure VLAN 2?
Background note: our organisation while largely autonomous is for networking purposes an IP subnet of a larger network. We have a router at our front end to which we do not have the password, although we can discuss changes to it with a contractor.
I actually am not sure whether there is then a dedicated line or VPN tunnel to the ISP who provide us with our internal address subnet. It does not matter, the point is that in a networking sense we are some distance from the REAL www gateway which is
not our business.