Planning Forefront TMG network topology
Updated: February 1, 2011
Applies To: Forefront Threat Management Gateway (TMG)
This topic is designed to help you plan and select the Forefront TMG network topology that is most suitable for your existing network topology, and for your network security requirements. It describes the topologies that are available for selection when you set up the Forefront TMG network, and the implementation considerations for each topology.
Forefront TMG network refers to the physical or logical network to which the computer on which Forefront TMG is installed belongs. For information about using Forefront TMG to create virtual private networks, see Planning for virtual private networks.
The following Forefront TMG network topologies are available:
Edge firewall—In this topology, Forefront TMG is located at the network edge, where it serves as the organization’s edge firewall, and is connected to two networks: the internal network, and the external network (usually the Internet).
3-Leg perimeter—This topology implements a perimeter network. Forefront TMG is connected to at least three physical networks: the internal network, one or more perimeter networks, and the external network.
Back firewall—In this topology, Forefront TMG is located at the network’s back-end. Use this topology when another network element, such as a perimeter network or an edge security device, is located between Forefront TMG and the external network. Forefront TMG is connected to the internal network and to the network element in front of it.
Single network adapter—This topology enables limited Forefront TMG functionality. In this topology, Forefront TMG is connected to one network only, either the internal network or a perimeter network. Typically, you would use this configuration when Forefront TMG is located in the internal corporate network or in a perimeter network, and another firewall is located at the edge, protecting corporate resources from the Internet. For more information, see About single network adapter topology.
Forefront TMG may be connected to the local area network (LAN) directly, or through a router or another firewall. If you are connecting to Forefront TMG through a firewall for remote management, or as a Forefront TMG protected client, note the following:
Remote management, such as, from an Enterprise Management Server (EMS) computer, requires the use of remote procedure call (RPC) for remote server status and service status monitoring.
The path from Forefront TMG clients to Forefront TMG must not be port-filtered.
The ports required at the intervening firewall are described in the article Service overview and network port requirements for the Windows Server system (http://go.microsoft.com/fwlink/?LinkId=156514)