Recommended Network Adapter Configuration for Forefront TMG Enterprise Edition Servers

Article
1/17/2024

[This article originally appeared in the "Me, Myself and ISA" blog at: http://blog.msfirewall.org.uk/2008/06/isa-servers-recommeded-network-card.html]

A high-level overview of network adapter configuration best practice is provided below:

The network adapter name used within the operating system should be changed to closely match the associated TMG network name. This clarifies assignment and improves supportability.
Only one network adapter should be configured with a default gateway.
Only one network adapter should be defined with DNS servers.
Unused or unnecessary bindings should be removed from all adapters, where possible, to improve security.
The default bind order should be amended to define a specific customised order.

Based upon these best practices, the configuration shown below is a tried and tested approach that can be used as part of a TMG Enterprise Edition deployment.

Deployments with a Single Network Adapter (Unihomed)

For deployments with a single network adapter, the following actions are recommended:

Configuration Step 1 – Rename Network Adapters:

Rename all network adapters to descriptive names that ideally match the TMG network names. With TMG Enterprise Edition, it is recommended to add a dedicated Intra-Array network adapter. Therefore, we need to consider this additional adapter in the configuration steps, but TMG is still considered as a unihomed deployment. For example:

***Internal Network

Intra-Array Network***

Tip: By matching the network adapter names, it makes mapping networks between TMG and Windows much easier when troubleshooting…

Configuration Step 2 – Configure Network Adapters:

Internal Network Adapter

Default Gateway should be defined
DNS Servers should be defined
Client for Microsoft Networks binding – Enabled
File and Print Sharing for Microsoft Networks binding – Disabled*
Register this connection’s address in DNS – Enabled
Enable LMHOSTS Lookup – Disabled
NetBIOS over TCP/IP – Default

Please Note: By disabling the 'File and Print Sharing for Microsoft Networks' binding on the TMG internal adapter it will prevent you from connecting to shares on the TMG computer, irrespective of TMG system policy or other custom rules that may allow it. This approach is recommended for better security, as TMG should not be accessible as a file server, but this is an optional step.

Please Note: In the event that you are not using a dedicated Intra-Array network adapter, it is recommended to leave the 'File and Print Sharing for Microsoft Networks' binding at the default setting of Enabled on the Internal Network adapter.

Intra-Array Network Adapter

Default Gateway should not be defined
DNS Servers should not be defined
Client for Microsoft Networks binding – Enabled
File and Print Sharing for Microsoft Networks binding – Enabled
Register this connection’s address in DNS – Disabled
Enable LMHOSTS Lookup – Disabled
NetBIOS over TCP/IP – Default

Configuration Step 2 – Amend Bind Order:

Edit the network adapter bind order to place the Internal Network adapter at the top (highest) position and the Intra-Array Network adapter should be placed directly below it. For example:

Internal Network (Highest)
**
Intra-Array Network (Next Highest)

Deployments with Multiple Network Adapters (Multihomed)

For deployments with multiple network adapters, the following actions are recommended:

Configuration Step 1 – Rename Network Adapters:

Rename all network adapters to descriptive names that ideally match the TMG network names. For example:

***Internal Network

Intra-Array Network

Anonymous Access Perimeter/DMZ Network

Authenticated Access Perimeter/DMZ Network****

External Network*

Tip: By matching the network adapter names, it makes mapping networks between TMG and Windows much easier when troubleshooting…

Configuration Step 2 – Configure Network Adapters

Internal Network Adapter

Default Gateway should not be defined
DNS Servers should be defined
Client for Microsoft Networks binding – Enabled
File and Print Sharing for Microsoft Networks binding – Disabled*
Register this connection’s address in DNS – Enabled
Enable LMHOSTS Lookup – Disabled
NetBIOS over TCP/IP – Default

Intra-Array Network Adapter

Default Gateway should not be defined
DNS Servers should not be defined
Client for Microsoft Networks binding – Enabled
File and Print Sharing for Microsoft Networks binding – Enabled
Register this connection’s address in DNS – Disabled
Enable LMHOSTS Lookup – Disabled
NetBIOS over TCP/IP – Default

Perimeter/DMZ Network Adapters

Default Gateway should not be defined
DNS Servers should not be defined
Client for Microsoft Networks binding – Disabled
File and Print Sharing for Microsoft Networks binding – Disabled*
Register this connection’s address in DNS – Disabled
Enable LMHOSTS Lookup – Disabled
NetBIOS over TCP/IP – Disabled

External Network Adapter

Default Gateway should be defined
DNS Servers should not be defined
Client for Microsoft Networks binding – Disabled ** **
File and Print Sharing for Microsoft Networks binding – Disabled*
Register this connection’s address in DNS – Disabled
Enable LMHOSTS Lookup – Disabled
NetBIOS over TCP/IP – Disabled

Configuration Step 3 – Amend Bind Order:

Edit the network adapter bind order to place the Internal Network adapter at the top (highest) position, the Intra-Array Network adapter next, the Perimeter/DMZ Network adapters next and the External Network at the bottom (lowest) position. For example:

Internal Network (Highest)
**
Intra-Array Network (Next Highest)

Perimeter/DMZ Network(s)

…others…

External Network (Lowest)**

This article was originally written by:

Jason Jones, Forefront MVP
**
Principal Security Consultant

Silversands Limited

**--------

My Forefront Edge Blog: http://blog.msedge.org.uk/

My TMG Blog: http://blog.msfirewall.org.uk/

MVP Profile: https://mvp.support.microsoft.com/profile/Jason.Jones

Twitter: http://twitter.com/jjatsilversands