Good Morning All,
I've been struggling with a proper configuration plan for our TMG system that makes everyone happy and actually works properly. I used to work at a Fortune 500 company where TMG was deployed. I never got involved in it's configuration so I'm not sure how it was setup. This is the first TMG deployment I've ever done and my networking knowledge is limited so please bear with me.
Here is our proposed configuration:
2 network cards, one internal facing and one external facing.
The external network card is hooked into our DMZ on x.x.199.12
The internal network card is also hooked into the DMZ on x.x.200.12 . This is an internal IP address that can reach internal machines.
The TMG box is domain joined per the recommendation of several experts. We plan to open only those ports on the internal network connection which are necessary for a domain member server, OWA, ActiveSync, Windows Update, DNS, RDP, etc.
This configuration was recommended to us by a senior security analyst and our senior admin here. I understand that the TMG (when setup properly) is very secure and doesn't necessarily need that additional level of security on the internal connection but my team is pushing for this (in the case that the TMG is improperly configured, we will have an additional level of security on compromise of the TMG box).
Our TMG will host ActiveSync and external OWA. Our Admins are concerned about putting the TMG internet facing so we put it behind a Checkpoint firewall. We only have 443 open on the Checkpoint firewall for incoming traffic only. The problem I'm having is several fold. First off, every known expert blog out there is telling me to only specify a gateway on the external connection and to specify a DNS server only on the internal side. If I do this, I lose the ability to RDP into the box. Spending time in a cold computer room holding a laptop in my left hand is not ideal for me so I want this ability. It keeps saying in the logs that the IP address of my source computer has been "Spoofed". The IP address of the source computer is a member of the internal network on the TMG and it trusted in the RDP rule. Also, I cannot reach my DNS servers because there is not gateway on the internal NIC. I think all of this is because the internal connection points at another device instead of the direct internal network. My team REALLY wants this extra level of protection so I want to see if I can get it working.
They are asking several questions that I have no definitive answer for. Here are a few:
1. Since the TMG is only hosting ActiveSync and OWA, why does it need external DNS access? Why do we have to specify an external gateway? Whey would the TMG box ever need to send anything back out to the net? Can we just not specify any gateways on either network connection (in the case that we put the internal connection directly on the internal network where it wouldn't need an internal gateway)?
2. Why is putting a gateway on only the internal connection frowned upon? Is it because it's out of the norm or does it propose some security risk? Will it slow down the TMG or cause some other sort of routing problem?
3. Why does the TMG need external DNS access? Why would it ever need to look up an external name in itself? On that note, why does the TMG need ANY DNS access?
Any insight would be greatly appreciated. Also, a bare bones explanation of why the TMG needs gateways and DNS would be helpful, along with an explanation of why you wouldn't gain any security by putting the internal network card on DMZ and how this affects performance among other things.
