Now that Windows Essential Business Server (EBS) has hit the public domain and is available for beta testing to anyone, we can start talking about the TMG firewall included as part of the EBS package. If you haven’t seen or heard of EBS yet, it is a collection of three servers, a Management Server, a Messaging Server (running Exchange 2007) and a Security Server (running Forefront TMG). The most interesting part of the package, of course, is the TMG component.
I found it very interesting how they decided to deploy the TMG configuration on the Security Server. After setup completes, they create 16 Firewall Policy rules to support outbound access for internal users, inbound access to OWA, TSG, RPC/HTTP, RRW and ActiveSync. There are also other rules in place to support management from SCE, sync with the Exchange Edge Server which is also installed on the TMG firewall, and other protocols for monitoring.
When you install EBS, I suggest that you take some time to review the configuration of the TMG firewall and also of the Exchange Server and Terminal Services Gateway. EBS is supposed to present a fully baked best practices solution for all the components that part of the EBS package. What I want to challenge you to do, my dear ISAserver.org reader and ISA firewall admin, is to look at how the TMG is configured, look at the details of the access rules, Web Publishing Rules and Server Publishing Rules.
After reviewing the configuration (together with that on the Exchange and TSG servers), tell me what you think. Do you think that they’ve actually implemented security best practices with the TMG configuration and firewall rule set (including System Policy Rules)? Or do you think that maybe someone “forgot” something and that there are changes that should be made that would significantly improve the security offered by the TMG firewall as part of the EBS offering.
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
MVP — Microsoft Firewalls (ISA)