However, this often needs to be architected this way rather than something To me, one of the better topologies is to use a network firewall as the edge firewall and then supplement this with an application layer firewall (like ISA/TMG) as the back firewall. With many modern Internet facing applications. If you are worried about TMG, should you not also be worried about your hardware firewall? Anyhow, people don't attack firewalls anymore, they attack applications exactly why application layer firewalls and reverse proxies are so important ISA (and TMG soon too no doubt) is a EAL4+ common criteria certified firewall that can probably hold it's own as good as your hardware firewall, Your comment about "if that server were compromised." is an interesting one as ISA/TMG has never been compromised. If you need a two NIC deployment, how about connecting the external interface to the Internet and the internal interface to your hardware firewall DMZ? This article discusses that topology well: Thanks so much - thoughts / ideas / flaws - I am open to discussion. The same box - woudl handle the Edge role - and passing mail to Exch 2010 HUB - I assume ForeFront will now need rules to allow External network inbound on 25 and 443 - 25 to localhost and 443 to internal network?ġ) Network definitions - 127.0.0.1 thru 127.255.255.255 is local traffic / everything not in that range is considered external?Ģ) Rules - traffic from external port 25 inbound to edge?ģ) Rules - traffic from external port 443 inbound to published forefront exch OWA?Ĥ) I would also need to build rules thru the firewall (hardware) - would this be true - that all I need is 443 and 25 inbound destined for backbone servers?ĥ) Outbound rules thru the hardware (firewall) - would all I need are 25 from HUB to Edge/TMG, 443 from CAS to Edge/TMG, and the LDP port for Edge Subscription? Or is that too simple - am I missing something? The model I am looking for is TMG to publish (reverse Proxy) the exchange owa access - with rules thru the firewall (hardware) and IDS to monitor - in this way traffic that attempts to jump port- will be whacked right off. and it appears to make this clear I can do this. It would be a single NIC setup for TMG - I have read I want an Exchange 2010 Edge server in a DMZ - and I want to leverage the same hardware to have TMG running on that box - only to allow publishing of the OWA access for my users on the road.
I woudl be opening the way for backbone traffic by bypassing the firewall. Instance it appears that if I have a hardware firewall in place protecting my backbone from the internet the ForeFront server would be bridging the firewall - and woudl become the weakest point - meaning that if that server were comprimised then potentially Initial findings show a TMG server with 2 legs (some with 3 legs 0 the 3rd for the published OWA on its own). (I have found several articles all hinting to the below mentioned model, but want to be clear 100% that I can do this and that I am protecting my network the best I can).įirst - I have read that with TMG I can publish the Exchange 2010 OWA access for my users to access mail when on the road.