Overview of the Threat Management Gateway Networking Node
One of the things that many people used to ask regarding the ISA firewall was, “How do you have a key networking device on your network but not enable any control of networking behavior in the firewall console?” That was a good question. After all, the ISA firewall was designed to be a network firewall to be put at the edge, or should I say, any edge on your network. The ISA firewall was designed to be more secure and more flexible than any hardware firewall and did a great job of that. However, the point was made that since the ISA firewall is a key piece of network gear, you should be able to control the networking behavior within the firewall console.
How did the ISA firewall team fix this problem? With the introduction of the TMG firewall, they included the new Networking node in the left pane of the TMG firewall console. You can see where the Networking Node fits in the left pane in Figure 1 below.
Since the Networking node is new, I thought it might be worthwhile to get a high level overview of what’s in there. In the future, we will go over some of the wizards that you will encounter in the Networking node, but we will leave that deep dive stuff for a future article.
When you click on the Networking node in the left pane of the console, you will see in the middle pane what appears in the figure below. There are seven tabs:
- Network Sets
- Network Rules
- Network Adapters
- Web Chaining
- ISP Redundancy
On the Networks tab, you will see a list of default Networks created on the TMG firewall. The Network concept is critical in the world of ISA or TMG. Each network interface card on the firewall acts as a “root” of a TMG Network. A Network is defined as all of the addresses that are reachable from a particular NIC. These addresses can be on or off the subnet, but they are directly reachable from the NIC that acts as the “root” of the TMG Network. Any IP addresses that are not defined by the TMG Network are considered part of another TMG Network, and if they aren’t defined by any other TMG Network, then they are considered to be part of the default External Network.
The figure below shows the five default TMG Networks:
- External – all addresses that are not part of any other TMG Network
- Internal – all addresses you defined as part of the default Internal Network
- Local Host – all addresses that are bound to the NICs on the TMG firewall
- Quarantined VPN Clients – addresses that belong to quarantined VPN clients
- VPN Clients – addresses that belong to VPN clients that are not in quarantine
Notice that the VPN related networks are dynamically constructed; that is, addresses are added and removed as VPN clients connect to the TMG firewall and VPN server and gateway.
If you install a new NIC on the TMG firewall, you always need to create a new Network for that NIC and include all the addresses that are directly reachable through that NIC. Keep this in mind, because it’s a common reason for failures in DMZ connectivity.
While we are here on the Networks tab, let us take a look at the Tasks Tab. Here you can see some options that used to be located in other areas on the ISA firewall console. For example, in the Tasks Tab, you will see the Specify Dial-up Preferences link.
When you click the Specify Dial-up Preferences link, it will bring up the Dialing Configuration dialog box. This configuration option is sort of a left-over from days gone by, when dial-up connections were commonly used by the ISA 2000 firewall. We used this ourselves way back when ISDN was the most only affordable “high speed” Internet option in our area. With dial-up networking being essentially dead in the business space today, you probably won’t find too many instances where you would use this dialog box now.
Click on the Configure Forefront TMG Client Settings link in the Tasks Tab. This might be a bit confusing if you did not know that the Firewall Client changed its name to TMG Client. Here you can configure the Firewall Client (TMG Client) settings. Unfortunately, these are no longer documented for the TMG firewall, and you get the sense that the entire Firewall client/TMG client thing is being deprecated, except for the fact that the TMG client is required if you want to notify your users about outbound SSL inspection.
Click on the Network Sets tab in the middle pane. Here you can see the list of default Network Sets. A Network Set is just a collection of Networks that are defined on the Networks tab. There are three default Network Sets:
- All Networks (and Local Host) – this includes (as its name implies) all networks, including the default External Network. You have to be very careful about using this network because if you create an allow rule that uses this network, you could possibly bring down your firewall.
- All Protected Networks – this includes all Networks except the default External Network.
- Forefront Protection Manager Monitored Networks – this doesn’t do anything because Microsoft scuttled the Forefront Protection Manager product.
You can create your own Network Sets if you like by using the Create New Network Set Wizard.
On the Network Rules tab you see a list of the default Network Rules. A Network Rule is required to connect Networks to each other. While you have to create Firewall Rules to allow communications between any two hosts, you must first create a Network Rule that connects the source and destination networks before any traffic can move between them. When you create a Network Rule, you define the type of connectivity between the Networks. The connectivity can be defined as either Route or NAT.
The default Network Rules include:
- Local Host Access – this rule defines connectivity between the Local Host Network and all other Networks. The relationship between the Local Host Network and all other Networks is Route.
- VPN Clients to Internal Network – this rule defines connectivity between the VPN Clients and Quarantined VPN Clients Networks and the default Internal Network, with a relationship set as Route. Notice that this Network Rule doesn’t connect VPN clients to the Internet. The Internet Access Network Rule takes care of that connectivity
- Internet Access – this Network Rule connects the default Internet Network, the Quarantined VPN Clients Network, and the VPN Clients Network to the Internet and defines a NAT relationship between the source and destination Networks.
Network Rules give you a lot of flexibility as to how you can connect source and destination computers. For example, you can terminate VPN client connections in front of the TMG firewall, and define a Network for the network in front of the TMG firewall, and then create a Route Network Rule between that Network and the default Internal Network.
Click the Network Adapters tab in the middle pane. Here you can see a list of the NICs that are installed on the TMG firewall. If you right click one of the NICs and then click Properties, you can see the Properties dialog box for that NIC. This allows you to change the IP addressing configuration on the NIC from within the TMG console.
Click on the Routing tab in the middle pane of the console. Here you can see the contents of the routing table on the TMG firewall. You can also configure something called Network Topology Routes here, and there is a wizard that allows you to add Network Topology Routes. If you check the Help File or the online documentation for the TMG firewall, you’ll be hard pressed to find a definition of a Network Topology Route. I asked Tom about this, and he confirmed that there doesn’t seem to be an official definition of a Network Topology Route anywhere, and when I asked him why this was the case, he told me, “I wasn’t at that meeting” 🙂
I believe that the Network Topology Route is a routing table entry that you can configure for an entire array. This is an inference I make because they break out the Network Topology Routes from the Active Sever Routes. But how it’s actually used in practice is still a bit of a mystery to me. Maybe they’ll document this in the next version of the TMG firewall.
Click the Web Chaining tab. Here you can create new Web Chaining Rules. A Web Chaining Rule is a way to connect Web proxy clients to Web proxy servers. You can also chain Web proxy servers to one another, in which case the proximal Web proxy server acts as a Web proxy client to the distal Web proxy server. In the figure below you can see the Properties dialog box of the default Web Chaining Rule. Notice that when you create a Web Chaining Rule, you can redirect the connection to a specific Web proxy server and then configure a backup route. Web proxy chaining is a left over from the Proxy 2.0 product, before the product became primarily a firewall.
The last tab is the ISP Redundancy tab. Here you can configure the TMG firewall to use two ISPs. The configuration allows you use both ISPs and load balance the connections across the ISPs, or configure the ISPs so that one is always used and the second is only used for failover if the primary ISP fails.
In this article, we took a high level look at the new Network node in the TMG firewall console. The Networking node brings together a number of configuration options related to Networking issues for the TMG firewall. New functionality introduced in the Networking Node includes the ability to configure the NICs within the console, to configure routing table entries from within the console, and the ability to use multiple ISPs.