Network View

In a classic view of a multi-networking environment, a firewall or router provides connectivity between one or more networks. Depending on how access control is configured on the firewall or router, communication is allowed to pass between the networks. For example, consider the following figure, which illustrates a classic view of the multi-networking scenario.


In the figure, a corporate network is connected to the Internet, allowing clients access to the Internet. A perimeter network (also known as a DMZ, demilitarized zone, or screened subnet) is connected to the corporate network and to the Internet, allowing access to its resources.

The relationships between the networks can be defined as follows:

  • Clients on the corporate network can access the Internet.
  • Computers on the Internet cannot access the corporate network clients.
  • Clients on the corporate network can access resources on the perimeter network.

Clients on the Internet can access resources on the perimeter network.

You can use Forefront TMG to define network rules (FPCNetworkRule objects), thereby allowing access between the networks. When you do so, you define not only whether the networks are connected, but also how they are connected. In this way, you establish the network access policy between the networks.

The following figure illustrates the concept of network access policy. Here, network rules have been configured to allow network access between the same networks shown in the previous figure.


In other words, network rules define the relationships between the networks as follows:

  • A routing relationship is defined between the branch office and the headquarters. A routing relationship allows traffic between the networks. Routing relationships are bidirectional and do not call for address translation.
  • A network address translation (NAT) relationship is defined from the corporate network to the perimeter network. NAT relationships are unidirectional and unique. Therefore, no relationship can exist from the perimeter network to the corporate network.
  • A NAT relationship is defined from the corporate network to the Internet. Again, no relationship exists from the Internet to the corporate network.
  • Finally, a NAT relationship is defined from the perimeter network to the Internet.

The general guideline is that when you publish IP addresses, you define a routing relationship. If you do not want to expose IP addresses, you define a NAT relationship.

Administrator's Role

The administrator's tasks include establishing Forefront TMG rules and policies, and configuring the cache. Forefront TMG rules determine how Forefront TMG clients communicate with the Internet and the type of communication that is allowed. These rules also determine how servers on your local network communicate with Internet users.

Four items are shown in the network view figure:

  • A remote computer from which an administrator manages Forefront TMG.
  • A Forefront TMG computer, whose components are shown in the Server View figure.
  • Clients and servers that use the Forefront TMG firewall and cache capabilities.

You can programmatically perform or automate Forefront TMG administration tasks by accessing the Forefront TMG COM objects. For more information, see Forefront TMG Administration Scripting.



Build date: 7/12/2010