Auditing the Initial Configuration of the EBS TMG Firewall (Part 1)

If you would like to read the next part in this article series please read Auditing the Initial Configuration of the EBS TMG Firewall (Part 2).

The Microsoft Essential Business Server (EBS) product is a new release from Microsoft aimed at medium sized businesses. EBS allows you to deploy a multi-server solution that includes e-mail services, systems management services and a network firewall on three separate and distinct server platforms. In contrast to Small Business Server (SBS), where all server roles are on the same machine, the EBS solution breaks out the server roles so that each major role is deployed on a separate machine.

One of the major advantages of the EBS solution is that you now have the network firewall on a dedicated device. In the previous version of SBS, the network firewall was on the “all in one” box and the “all in one” box was designed to be an edge device. This put the SBS server in a precarious position, and limited your ability to adjust the network infrastructure design so as to bring the security configuration closer to something that could pass a security audit.

EBS is a three server solution that includes:

  • The Management Server. This machine is a domain controller and also runs System Center Essentials
  • The Messaging Server. This server runs Exchange 2007 and is also configured as a domain controller
  • The Security Server. This server runs Threat Management Gateway Medium Business Edition

In this article series we’re going to focus on the TMG MBE firewall. The TMG, or Forefront Threat Management Gateway, represents the latest edition of the ISA firewall. While the ISA brand name is going away, the ISA technology that we’ve known and loved for the last decade isn’t going away and in fact is going to get even better.

Overall, I think it’s a good idea to change the name of the ISA firewall, since ISA’s official name is “Internet Security and Acceleration Server”. There are two things that don’t work well with that name: first, there is a focus on “acceleration”, which is the Web caching component. The TMG and future versions of the ISA/TMG firewall won’t see any changes or investments in the Web caching feature, which is the part that “accelerates” the Internet; second, inclusion of the term “Server” isn’t something that helps in promoting a firewall. No one wants to put a “server” on the edge of his network.

Threat Management Gateway more clearly represents the function of the TMG firewall. It manages threats coming from both the Internet and from TMG protected networks. And the TMG is better equipped to do this than the ISA firewall because it includes additional application layer inspection features that enables it to protect you from today’s application-centric threats.

Keep in mind that the TMG version included with EBS is not the “fully baked” version of the TMG, which you’ll likely see next year. While the Medium Business Edition (MBE) version of the TMG firewall does represents a major internal redesign of the core ISA firewall engine and introduces some significant improvements in performance and security, it provides only a subset for the features and capabilities that will be included with the full version of the TMG firewall.

Of the many differences you’ll find between the full TMG firewall and the MBE version of the TMG firewall, one of the most significant is that the TMG MBE firewall is fully configured for you during installation. The EBS team has put together a collection of configuration best practices based on the EBS configuration of your network, and implemented those best practices in the initial configuration of the TMG MBE firewall. In contrast, with the full version of the TMG firewall that you’ll see in the future, the initial configuration will be up to you and you’ll need to be aware of how the firewall works and how to best configure it to support your unique network requirements.

The reason why the TMG MBE firewall can be configured for you is that the EBS team knows the details of your EBS network. They can use that information to configure the TMG MBE firewall using a best practices setup, based on the knowledge they have of the EBS configuration. This is something that the full version of the TMG firewall won’t be able to do, since it’s not aware of your network’s servers and services and how to apply best practices to secure them (at least, it won’t be able to do that without your help).

So, what is this best practices configuration? What are the details of the TMG MBE initial configuration? Are the settings deployed by the EBS team to the TMG MBE firewall really bests practices, or maybe a variation of best practices?

These are the questions I hope to answer in this article series on auditing the initial configuration of the TMG MBE firewall.

What we’ll do for the next several weeks is take a look at the TMG MBE firewall configuration from the top down. We’ll document these settings and I’ll discuss with you what these settings do, and how they fit with the EBS configuration and how you might want to adjust them in order to improve security or functionality.

The EBS Test Network

Before we get started, let’s take a look at the example EBS network I’m working with. All machines are installed on a server with a single quad Xeon processor with 8 GB of RAM. The machine is running Windows Server 2008 Enterprise edition and the Hyper-V server role is installed.

In Hyper-V, we’ll be working with two virtual networks:

  • An External Virtual Network that is bound to the physical interface on the Hyper-V server
  • An Internal Virtual Network, to which internal interface of the TMG firewall, and the interfaces of the management and messaging servers are connected

You might ask “why did you choose to create an internal virtual network instead of a private virtual network”, and that would be a good question. I don’t have a good answer for you, because I honestly don’t understand what the difference is between Private and Internal networks, as the following definitions of these networks don’t make much sense from a deployment perspective:

If you can tell me what the practical differences are between an Internal and Private networks, I’ll be in your debt and point out your generous spirit on my blog.

The figures below show the configuration of the Virtual Networks.

Figure 1

Figure 2

There are three machines included in the example EBS network. These are:

  • EBSMGMT – This is the EBS Management Server
  • EBSEXCH — This is the EBS Exchange Server
  • EBSTMG – This is the EBS TMG firewall

The figure below shows the network topology and IP addressing settings:

Figure 3

Note the internal servers use the internal interface of the TMG firewall as their default gateway to the Internet. The TMG firewall uses the production ISA firewall on the live physical network as its default gateway to the Internet. I have adjusted the DNS server settings on the EBSMGMT server to use my internal DNS resolver as its DNS forwarder to speed up name resolution.


In this, part one of a multipart series on the initial configuration settings of the EBS TMG MBE firewall, I provided high level overview of the EBS solution and then discussed the design philosophy behind the TMG MBE firewall and it’s deployment configuration. I then finished up with a discussion of the test network on which EBS is installed. Next week we’ll start getting into the details of the TMG firewall configuration and see what these options mean and if any present opportunities for improvement. See you then! –Tom.

If you would like to read the next part in this article series please read Auditing the Initial Configuration of the EBS TMG Firewall (Part 2).

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top