I recently set up TMG2010 and I believe I've done something wrong with my configuration. I do not want to run anything extra apart from a web publishing/reverse proxy setup.
My internet goes to an ASA, it is natting port 80 of the external static to 10.1.20.5 (the TMG machine – from dmz network 10.1.20.0 on the asa) the TMG machine has a second nic (10.1.10.x with gateway 10.1.10.1) for internal connection to web servers.
What is the simplest way I can make sure the internal/external network groups are set up properly (which I think is my current issue) verify my web listener is working properly, and then publish several sites on different internal IPs.
I've seen a few guides on setting up the web forwarding but they all presuppose that the network groups are set up properly. Mine definitely do not appear to be so.
I changed the internal network to be 10.1.10.0 – 10.1.10.255, external network seems to be unconfigurable, and I'm not sure if I need others.
Thanks!
These are the ranges I get when I try to add the 'internal' adapter to the 'internal' network group:
0.0.0.1 – 10.1.19.255
10.1.21.0 – 126.255.255.255
128.0.0.0 – 223.255.255.255
240.0.0.0 – 255.525.255.254
When I add the DMZ adapter I get the same first, 3rd, and 4th groups but the second group is:
10.1.11.0 – 126.255.255.255
I feel like these should not be the addresses in the 'Internal' network group. There are none listed under "Local Host" "Quarantine" or "VPN Clients"
Best Answer
Based on what I've read you should be able to continue down your current route.
One thing that is very important if you are using a dual homed TMG is to use the "change source IP" options in your publishing rules. Without it you'll have your traffic routed back out the Cisco device and likely dropped since it doesn't have an established connection. That's bitten me in more setups than I would care to admit.
When using TMG strictly as a reverse proxy I'd highly suggest that you go with a single network interface setup, as outlined here. I find this setup much easier to manage.
All this being said be careful using Forefront. It's mainstream support ends in early 2015 and the intrusion detection signatures are going to become useless. Although you just want a reverse proxy now is that going to be true in a year? Or two?