Resources For IT Professionals
Post an article
Wikis - Page Details
Options
RSSSubscribe to Article (RSS)
Can You Improve This Article?
Positively! Click Sign In to add the tip, solution, correction or comment that will help other users.

Report inappropriate content using these instructions.
Wiki  >  TechNet Articles  >  Recommended Network Adapter Configuration for Forefront TMG Enterprise Edition Servers

Recommended Network Adapter Configuration for Forefront TMG Enterprise Edition Servers

Recommended Network Adapter Configuration for Forefront TMG Enterprise Edition Servers

Table of Contents


[This article originally appeared in the "Me, Myself and ISA" blog at: http://blog.msfirewall.org.uk/2008/06/isa-servers-recommeded-network-card.html]

A high-level overview of network adapter configuration best practice is provided below:

  • The network adapter name used within the operating system should be changed to closely match the associated TMG network name. This clarifies assignment and improves supportability.
  • Only one network adapter should be configured with a default gateway.
  • Only one network adapter should be defined with DNS servers.
  • Unused or unnecessary bindings should be removed from all adapters, where possible, to improve security.
  • The default bind order should be amended to define a specific customised order.

Based upon these best practices, the configuration shown below is a tried and tested approach that can be used as part of a TMG Enterprise Edition deployment.

Deployments with a Single Network Adapter (Unihomed)

For deployments with a single network adapter, the following actions are recommended:

Configuration Step 1 – Rename Network Adapters:

Rename all network adapters to descriptive names that ideally match the TMG network names. With TMG Enterprise Edition, it is recommended to add a dedicated Intra-Array network adapter. Therefore, we need to consider this additional adapter in the configuration steps, but TMG is still considered as a unihomed deployment. For example:

Internal Network
Intra-Array Network

Tip: By matching the network adapter names, it makes mapping networks between TMG and Windows much easier when troubleshooting…

Configuration Step 2 – Configure Network Adapters:

Internal Network Adapter

  • Default Gateway should be defined
  • DNS Servers should be defined
  • Client for Microsoft Networks binding – Enabled
  • File and Print Sharing for Microsoft Networks binding – Disabled*
  • Register this connection’s address in DNS – Enabled
  • Enable LMHOSTS Lookup – Disabled
  • NetBIOS over TCP/IP – Default

Please Note: By disabling the 'File and Print Sharing for Microsoft Networks' binding on the TMG internal adapter it will prevent you from connecting to shares on the TMG computer, irrespective of TMG system policy or other custom rules that may allow it. This approach is recommended for better security, as TMG should not be accessible as a file server, but this is an optional step.

Please Note: In the event that you are not using a dedicated Intra-Array network adapter, it is recommended to leave the 'File and Print Sharing for Microsoft Networks' binding at the default setting of Enabled on the Internal Network adapter.

Intra-Array Network Adapter

  • Default Gateway should not be defined
  • DNS Servers should not be defined
  • Client for Microsoft Networks binding – Enabled
  • File and Print Sharing for Microsoft Networks binding – Enabled
  • Register this connection’s address in DNS – Disabled
  • Enable LMHOSTS Lookup – Disabled
  • NetBIOS over TCP/IP – Default

Configuration Step 2 – Amend Bind Order:

Edit the network adapter bind order to place the Internal Network adapter at the top (highest) position and the Intra-Array Network adapter should be placed directly below it. For example:

Internal Network (Highest)
Intra-Array Network (Next Highest)

Deployments with Multiple Network Adapters (Multihomed)

For deployments with multiple network adapters, the following actions are recommended:

Configuration Step 1 – Rename Network Adapters:

Rename all network adapters to descriptive names that ideally match the TMG network names. For example:

Internal Network
Intra-Array Network
Anonymous Access Perimeter/DMZ Network
Authenticated Access Perimeter/DMZ Network
External Network

Tip: By matching the network adapter names, it makes mapping networks between TMG and Windows much easier when troubleshooting…

Configuration Step 2 – Configure Network Adapters

:

Internal Network Adapter

  • Default Gateway should not be defined
  • DNS Servers should be defined
  • Client for Microsoft Networks binding – Enabled
  • File and Print Sharing for Microsoft Networks binding – Disabled*
  • Register this connection’s address in DNS – Enabled
  • Enable LMHOSTS Lookup – Disabled
  • NetBIOS over TCP/IP – Default

Intra-Array Network Adapter

  • Default Gateway should not be defined
  • DNS Servers should not be defined
  • Client for Microsoft Networks binding – Enabled
  • File and Print Sharing for Microsoft Networks binding – Enabled
  • Register this connection’s address in DNS – Disabled
  • Enable LMHOSTS Lookup – Disabled
  • NetBIOS over TCP/IP – Default

Perimeter/DMZ Network Adapters

  • Default Gateway should not be defined
  • DNS Servers should not be defined
  • Client for Microsoft Networks binding – Disabled
  • File and Print Sharing for Microsoft Networks binding – Disabled*
  • Register this connection’s address in DNS – Disabled
  • Enable LMHOSTS Lookup – Disabled
  • NetBIOS over TCP/IP – Disabled

External Network Adapter

  • Default Gateway should be defined
  • DNS Servers should not be defined
  • Client for Microsoft Networks binding – Disabled  
  • File and Print Sharing for Microsoft Networks binding – Disabled*
  • Register this connection’s address in DNS – Disabled
  • Enable LMHOSTS Lookup – Disabled
  • NetBIOS over TCP/IP – Disabled

Please Note: By disabling the 'File and Print Sharing for Microsoft Networks' binding on the TMG internal adapter it will prevent you from connecting to shares on the TMG computer, irrespective of TMG system policy or other custom rules that may allow it. This approach is recommended for better security, as TMG should not be accessible as a file server, but this is an optional step.

Please Note: In the event that you are not using a dedicated Intra-Array network adapter, it is recommended to leave the 'File and Print Sharing for Microsoft Networks' binding at the default setting of Enabled on the Internal Network adapter.

Configuration Step 3 – Amend Bind Order:

Edit the network adapter bind order to place the Internal Network adapter at the top (highest) position, the Intra-Array Network adapter next, the Perimeter/DMZ Network adapters next and the External Network at the bottom (lowest) position. For example:

Internal Network (Highest)
Intra-Array Network (Next Highest)
Perimeter/DMZ Network(s)
…others…
External Network (Lowest)

This article was originally written by:

Jason Jones, Forefront MVP
Principal Security Consultant
Silversands Limited
--------
My Forefront Edge Blog: http://blog.msedge.org.uk/
My TMG Blog: http://blog.msfirewall.org.uk/
MVP Profile: https://mvp.support.microsoft.com/profile/Jason.Jones
Twitter: http://twitter.com/jjatsilversands

, , , , , , [Edit tags]
Leave a Comment
  • Please add 5 and 4 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Comments
Page 1 of 1 (2 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Comments
  • Posted by
    on 1 Sep 2013 1:53 AM

    Maheshkumar S Tiwari edited Original. Comment: Added TOC

  • Posted by
    on 1 Sep 2013 1:55 AM

    Maheshkumar S Tiwari edited Revision 1. Comment: Added tags and minor formatting

Page 1 of 1 (2 items)