Recommended Network Adapter Configuration for Forefront UAG Servers

  • Article

[This article originally appeared in the "Closer to the Edge" blog at: http://blog.msedge.org.uk/2010/04/recommended-network-card-configuration_14.html]

A high-level overview of network adapter configuration best practice is provided below:

  • The network adapter name used within the operating system should be changed to closely match the associated TMG network name. This clarifies assignment and improves supportability.
  • Only one network adapter should be configured with a default gateway.
  • Only one network adapter should be defined with DNS servers.
  • Unused or unnecessary bindings should be removed from all adapters, where possible, to improve security.
  • The default bind order should be amended to define a specific customised order.

Based upon these best practices, the configuration shown below is a tried and tested approach that can be used as part of a Forefront UAG deployment.

Configuration Step 1 – Rename Network Adapters:

Rename all network adapters to descriptive names that ideally match the connection type and UAG wizard/console names. For example:

UAG adapter connected to the trusted network: Internal Network
UAG adapter connected to the untrusted network: External Network

Tip: Matching the names is not essential; it just makes mapping networks between UAG, TMG and Windows much easier when troubleshooting…

Configuration Step 2 – Configure Network Adapters:

The Internal Network adapter will normally be connected to your trusted environment. This could be your actual internal network (LAN) or could be a private DMZ (perimeter network) if using an intranet/back firewall.

Internal Network Adapter

  • Default Gateway should not be defined
  • DNS Servers should be defined
  • Client for Microsoft Networks binding – Enabled
  • File and Print Sharing for Microsoft Networks binding – Enabled
  • Register this connection’s address in DNS – Enabled
  • Enable LMHOSTS Lookup – Disabled
  • NetBIOS over TCP/IP – Default

The External Network adapter will normally be connected to your untrusted environment. This could be your actual Internet connection if using an edge deployment, or could be a public DMZ (perimeter network) if using an existing edge/front firewall.

External Network Adapter

  • Default Gateway should be defined
  • DNS Servers should not be defined
  • Client for Microsoft Networks binding – Disabled ** **
  • File and Print Sharing for Microsoft Networks binding – Disabled
  • Register this connection’s address in DNS – Disabled
  • Enable LMHOSTS Lookup – Disabled
  • NetBIOS over TCP/IP – Disabled

Please Note: The 'File and Print Sharing for Microsoft Networks' binding on the TMG internal adapter is left at the default settings of Enabled on the TMG Internal Network adapter. This allows for the use of the Internal Network adapter for intra-array services when using a Forefront UAG array.

Configuration Step 3 – Amend Bind Order:

Edit the network adapter bind order to place the Internal Network adapter at the top (highest) position and the External Network at the bottom (lowest) position. For example:

Internal Network (Highest)
…others…
External Network (Lowest)

Configuration Step 4 – Run the UAG Network Interfaces Wizard:

You should now run the UAG Network Interfaces wizard, and assign the network adapters to their respective Internal and External connection types/roles.

Important! As you have configured the default gateway on the External Network adapter, it is necessary to add static routes to define internal network subnets that are reached via the Internal Network adapter but located behind routers (including VLANs on layer 3 switches) on the internal network. The use of multiple default gateways is not supported and static routes are the recommended solution. Once you have defined the appropriate static routes, you will then need to run the UAG Network Interfaces wizard to add the new subnets (called address ranges) to the internal network definition; these will consequently be inherited by TMG and allow correct traffic flow…

This article was originally written by:

Jason Jones, Forefront MVP
**Principal Security Consultant
Silversands Limited
**--------
My Forefront Edge Blog: http://blog.msedge.org.uk/
My ISA Server Blog: http://blog.msfirewall.org.uk/
MVP Profile: https://mvp.support.microsoft.com/profile/Jason.Jones
Twitter: http://twitter.com/jjatsilversands

[Additional information]

  • Only two network adapters are supported for UAG servers.  If you need multiple external IPs for multiple trunks, add them as additional IPs on the external adapter, not as additional adapters.
  • When configuring a default gateway only on the external adapter and DNS servers only on the internal adapter (as recommended above), you may initially encounter DNS name resolution issues until you create your persistent static routes (ROUTE ADD -p) for your other internal subnets and either (a) reboot, or (b) restart the DNS Client service (assuming the DNS servers are on an internal subnet that is different from your internal adapter subnet).  This appears due to the way Windows handles the fact that no DNS servers are reachable on the adapter on which they are specified (at least they are not reachable when the DNS Client starts up).  In this situation, Windows appears not to attempt to reach those DNS servers over the external adapter, even if they may be reachable through the default gateway.  Instead, it will resort to attempting name resolution with NbtNS instead of DNS.

These additions by:
Jared Poeppelman, Microsoft