Deeper Dive into the TMG Firewall Network Templates
There’s no point in expending a lot of effort reinventing the wheel, so the TMG firewall offers you the option to use Network Templates to help you deploy the firewall in a number of different roles. The Network Templates simplify a number of tasks that you would have to perform manually if you didn’t use the template. If you plan on deploying the TMG firewall in a scenario supported by one of the Network Templates, then you should take advantage of them. This article will provide you with information about what template options are available to you and we’ll look closely at what each has to offer.
Prior to deploying the TMG firewall using a Network Template, you should first decide on the TMG firewall’s placement on the network. Specifically, you need to consider whether the TMG firewall will be placed at the edge of your network, as a back to back firewall or a single NIC web proxy only firewall that supports both forward and reverse proxy. TMG Network Templates reflect the physical configuration in a logical setup.
The TMG firewall has four network templates. These are:
You can use a network template when you run the Getting Started Wizard and choose the option Configure Network Settings. However, before you install the firewall, read the rest of this article to understand the scenarios in which each template is appropriate.
Edge Firewall Network Template
You will need a firewall on the edge regardless of your deployment, so why not use the TMG firewall? This adds the first layer of protection for your internal assets. The Edge Firewall Network Template applies a configuration that reflects the main goal of your TMG firewall placement as an edge firewall.
This template assumes that you have two NICS: one connected to the default internal network and one connected to the external network. Usually the external interface is the one connected directly to the Internet (through a router for instance) and has a default gateway assigned to it, but it can also be behind another device, such as another TMG firewall.
First, a quick overview of how you choose network templates: When you run the Getting Started Wizard, you will choose the Edge Firewall Template as seen in the figure below.
The “edge” of the network is, of course, the traditional placement for a firewall. An edge firewall is there to protect the internal network from “outsiders” (generally traffic coming from the Internet, although it can be from any external network). The Edge Firewall Template configures TMG to do the following:
- The TMG firewall will block all unauthorized attempts to gain access to the internal network from the external network.
- The TMG firewall hides the internal network from the outside.
- The TMG firewall can provide secure access to internal servers by publishing them.
- Configuration overhead is reduced.
3-Leg Perimeter Network Template or “Trihomed DMZ”
The 3-Leg Perimeter template helps you to deploy atrihomedperimeter network, also sometimes referred to as a demilitarized zone (DMZ). This is a small network that is separated from the organization’s internal network. This DMZ is used to securely expose the resources that are shared by users who come from untrusted networks (such as the Internet) and trusted networks (such as the corporate network). Email servers, web servers and other servers that need to be accessed from outside the LAN are typically located within the DMZ.
This template requires that you set up the TMG firewall with three network interfaces, in the following configuration:
- One network adapter is connected to the Internet (External network)
- One adapter is connected to the internal network
- The third adapter is connected to a perimeter network (DMZ)
When you run Getting Started Wizard, you can choose the 3-Leg Perimeter template as seen in the figure below.
When you select this template in the Getting Started Wizard, you will have to later specify which NIC is connected to the DMZ, as seen in the figure below.
You’ll need to specify whether the IP address used in the DMZ network is public or private. This is a key selection because it also affects the network relationship (which is defined by a Network Rule) between the DMZ network with the other (Internal and External) networks. Usually the DMZ network has a private IP address, as this is the most common and appropriate deployment because you want to hide the real IP address of the resource from Internet.
This template provides you the following security benefits:
- Protects the internal network from external attacks.
- Securely publishes services to the Internet by limiting them to resources in the DMZ network.
- External users can access resources located in the DMZ network while preventing them from accessing resources on the internal network.
Back Firewall Network Template
Now let’s look more closely at the Back Firewall network template. This is another way to deploy TMG with a perimeter network. You would use the Back Firewall Template when the TMG firewall is located in between a DMZ network and the internal network. In this scenario, theTMG firewall will act as the back-end line of defense for the internal resources. You will also need another firewall (which can also be a TMG firewall, or something else) between the external network and DMZ network.
Use this Network Template when you want to provide two lines of defense.This template has the following benefits:
- Granular access control
- Multiple layers of protection
- Separation of duties, as each firewall will be responsible for a particular set of traffic profiles.
When you run the Getting Started Wizard you can choose the Back Firewall template as seen in the figure below.
When using the Getting Started Wizard to select this template, you will have to specify which NIC is connected to the internal network and which NIC is connected to the DMZ network.
Single NIC Network Template
You will use the Single NIC Network Template when you need to use the TMG firewall for forward or reverse web proxy, web cache, web publishing (HTTP/HTTPS, RPC over HTTPs and FTP) and remote access VPN client access. An important thing to remember about this configuration is that, with a single NIC TMG firewall, the firewall won’t be able to protect your network at the edge. The assumption of this Network Template is that another firewall is at the edge of the network to provide security for the internal resources. The other firewall that protects the edge can be another TMG firewall or something else.
This Network Template introduces a number of significant limitations. When you use the TMG firewall with only one NIC, there is no concept of an External network, since it has only one Network card and the default gateway which connects you to anything beyond your own network lies on the same Network Card. Because of this, the only networks that are available to the TMG firewall in this configuration are localhost (TMG firewall itself) and internal. That means that all firewall policies need to be created by using those elements.
In addition, there are several scenarios that are supported by a multi-NIC TMG firewall that are not supported by a single-NIC TMG firewall. Some of these include:
- Application filtering: although the TMG firewall has some application layer filtering built in, when you use this template, there is a limitation on what can be inspected. Inspection is limited to HTTP/HTTPs and FTP over HTTP traffic.
- Server publishing: Because the Server Publishing feature requires NAT functionality and this template doesn’t support two NICs,it’s not possible to offer this type of publishing.
- Firewall Client: the Firewall Client (TMG Client) is not supported in Single-NIC deployments.
- SecureNAT Client: SecureNAT clients are not supported in Single-NIC deployments.
Even if you configure a NIC to use two or more IP addresses, or even if you add a second network adapter and later disableit in an effort to get around these limitations, these will still not be supported, even it if appears to work.
When you run the Getting Started Wizard, you can choose the Single NIC template as seen in the figure below.
After you run this Network Template, you will see the following addresses used to define the default Internal Network:
127.0.0.0 – 127.255.255.255
126.96.36.199 – 254.255.255.255
Let’s take a look at an example of the kind of problems you can run into when using the Single-NIC Template. A user was able to access the first page of a web site and logon to the system. However, when the user tried to get data from the application, the page failed to display. When the single-NIC TMG firewall is bypassed, everything works and the pages load. What might cause this kind of issue? Think about the limitations of the single-NIC firewall. Maybe the client needs to open a non-HTTP or HTTPS connections to the application. This is very common when the initial page might be HTTP or HTTPS, but subsequent connections require a non-Web protocol. In this case, you will need to deploy at least a dual-NIC firewall with an alternative template in order to get it to work.
For this reason it is critical that you understand exactly what type of traffic that you want the TMG firewall to pass prior to deploying the firewall. In most cases, the single-NIC TMG firewall is not going to be the best decision and we highly recommend that you avoid deploying a single-NIC TMG firewall because of the profound limitations imposed by the single-NIC TMG firewall. With that said, the single-NIC template can be very useful if you fully understand and appreciate the limitations and know that you won’t need to do any of the things that the single-NIC firewall won’t support. However, regardless of the template you use, you should be aware that you should never use more than a single default gateway in the external interface. This is also an unsupported scenario and can cause connectivity problems for your TMG firewall.
In this article, we talked about the TMG firewall Network Templates. We saw that there are a number of templates that you can choose from. However, before you choose a template, you need to under what is available so that you chose the right template. The four templates we discussed should get you where you want to go for the majority of TMG scenarios. I hope you benefited from this article; let me know if you need more information. Thanks! –Deb.