Recommended Network Adapter Configuration for Forefront TMG Standard Edition Servers

  • Article

[This article originally appeared in the "Me, Myself and ISA" blog at: http://blog.msfirewall.org.uk/2008/06/isa-servers-recommeded-network-card.html]

A high-level overview of network adapter configuration best practice is provided below:

  • The network adapter name used within the operating system should be changed to closely match the associated TMG network name. This clarifies assignment and improves supportability.
  • Only one network adapter should be configured with a default gateway.
  • Only one network adapter should be defined with DNS servers.
  • Unused or unnecessary bindings should be removed from all adapters, where possible, to improve security.
  • The default bind order should be amended to define a specific customised order.

Based upon these best practices, the configuration shown below is a tried and tested approach that can be used as part of a TMG Standard Edition deployment.

Deployments with a Single Network Adapter (Unihomed)

For deployments with a single network adapter, the following actions are recommended:

Configuration Step 1 – Rename Network Adapters:

Rename all network adapters to descriptive names that ideally match the TMG network names. For example:

Internal Network

Tip: By matching the network adapter names, it makes mapping networks between TMG and Windows much easier when troubleshooting…

Configuration Step 2 – Configure Network Adapters:

Internal Network Adapter

  • Default Gateway should be defined
  • DNS Servers should be defined
  • Client for Microsoft Networks binding – Enabled
  • File and Print Sharing for Microsoft Networks binding – Disabled*
  • Register this connection’s address in DNS – Enabled
  • Enable LMHOSTS Lookup – Disabled
  • NetBIOS over TCP/IP – Default

Please Note: By disabling the 'File and Print Sharing for Microsoft Networks' binding on the TMG internal adapter it will prevent you from connecting to shares on the TMG computer, irrespective of TMG system policy or other custom rules that may allow it. This approach is recommended for better security, as TMG should not be accessible as a file server, but this is an optional step.

Configuration Step 2 – Amend Bind Order:

Edit the network adapter bind order to place the Internal Network adapter at the top (highest) position.
**
**

Deployments with Multiple Network Adapters (Multihomed)

For deployments with multiple network adapters, the following actions are recommended:

Configuration Step 1 – Rename Network Adapters:

Rename all network adapters to descriptive names that ideally match the TMG network names. For example:

Internal Network
Anonymous Access Perimeter Network
Authenticated Access Perimeter Network*
External Network
*

Tip: By matching the network adapter names, it makes mapping networks between TMG and Windows much easier when troubleshooting…

Configuration Step 2 – Configure Network Adapters:

Internal Network Adapter

  • Default Gateway **should not **be defined
  • DNS Servers should be defined
  • Client for Microsoft Networks binding – Enabled
  • File and Print Sharing for Microsoft Networks binding – Disabled*
  • Register this connection’s address in DNS – Enabled
  • Enable LMHOSTS Lookup – Disabled
  • NetBIOS over TCP/IP – Default

Perimeter/DMZ Network Adapters

  • Default Gateway should not be defined
  • DNS Servers should not be defined
  • Client for Microsoft Networks binding – Disabled
  • File and Print Sharing for Microsoft Networks binding – Disabled*
  • Register this connection’s address in DNS – Disabled
  • Enable LMHOSTS Lookup – Disabled
  • NetBIOS over TCP/IP – Disabled

External Network Adapter

  • Default Gateway should be defined
  • DNS Servers should not be defined
  • Client for Microsoft Networks binding – Disabled ** **
  • File and Print Sharing for Microsoft Networks binding – Disabled*
  • Register this connection’s address in DNS – Disabled
  • Enable LMHOSTS Lookup – Disabled
  • NetBIOS over TCP/IP – Disabled

Please Note: By disabling the 'File and Print Sharing for Microsoft Networks' binding on the TMG internal adapter it will prevent you from connecting to shares on the TMG computer, irrespective of TMG system policy or other custom rules that may allow it. This approach is recommended for better security, as TMG should not be accessible as a file server, but this is an optional step.

Configuration Step 3 – Amend Bind Order:

Edit the network adapter bind order to place the Internal Network adapter at the top (highest) position and the External Network at the bottom (lowest) position. For example:

Internal Network (Highest)
Perimeter Network(s)
…others…
External Network (Lowest)

This article was originally written by:

Jason Jones, Forefront MVP
**Principal Security Consultant
Silversands Limited
**--------
My Forefront Edge Blog: http://blog.msedge.org.uk/
My TMG Blog: http://blog.msfirewall.org.uk/
MVP Profile: https://mvp.support.microsoft.com/profile/Jason.Jones
Twitter: http://twitter.com/jjatsilversands