Part 3: Windows 2008 R2 Remote Desktop Services / VDI LAB


Setting up Threat Management Gateway – Protector of ALL!!

Part 3 of this multipart series involves setting up TMG “Threat Management Gateway” – basically the latest version of ISA.  Before we start, there has been a ton of confusion with respect with how to setup ISA/TMG’s network cards.  Assume we have 2 NICs (we are not network load balancing), NIC1 being External and NIC2 being Internal.

NIC Name IP Address Subnet Mask Default Gateway DNS1 DNS2
Internal 10.1.1.1 255.255.255.0 NONE 10.1.1.10 N/A
External 192.168.1.100 255.255.255.0 192.168.1.1 10.1.1.10 N/A

If you are wondering why I chose to setup TMG in this fashion – read the following posts:

http://blog.msfirewall.org.uk/2008/06/isa-servers-recommeded-network-card.html

http://www.kalabaster.com/dasblog/2009/09/06/ISAServerAndFTMGBasicNetworkAndDNSSettingsOnceAndForAll.aspx

Internal NIC Screenshots (Part of AD Domain: NA.LOCAL) External NIC Screenshots
image image
image image
image image
image image

The TMG server that I am working with will be part of the Active Directory (NA.LOCAL) that we setup in Part 2.

Let the install begin!!!

(To conserve Page Space – I have posted the steps to follow a “Z” pattern, for example, A 4 Step process would have step 1 in the top left quadrant, step 2 in the top right quadrant, step 3 in the bottom left quadrant, and step 4 in the bottom right quadrant)

Running the Preparation Tool!  
  • After I inserted the CD, I clicked “Run Splash.hta”
  • image
  • Click on “Run Preparation Tool”
  • image
  • Click Next on the following Screen
  • image
  • Read the terms, Click “I Accept”, Click NEXT
  • image 
  • Leave the default “Forefront TMG Services & Management” radio button selected, click NEXT
  • image
  • Next few moments
  • image
  • Prep Completed!!!, Click Finish
  • image
 

Running the Installation Wizard

  • Click “Run Installation Wizard”
  • image
  • Another couple windows will pop up..
  • image
  • Click Next
  • image
  • Click “I Accept” then Click Next
  • image
  • Type your information / key code, click Next
  • image
  • Select “TMG Services & MGMT” click Next
  • image
  • Browse to a custom install path if needed, click Next
  • image
  • Click Add to define Internal Network
  • image
  • Click Add Adapter on the following screen
  • image
  • Select your Internal Adapter, click OK
  • image

In my case, I picked the “Internal Adapter” which produced the following screenshot:

image

We do not need all of those ranges – we only need the range that the internal NIC is configured to be a part of.  The range should read: 10.1.1.0 – 10.1.1.255

To remove the ranges, highlight each one and the “remove” button will activate.  Now that you have a blank Start Address / End Address screen, go to the next step.
image

  • Click Add Range, type your internal SUBNET, click OK
  • image
  • Once the range looks correct, click OK
  • image
  • Verify Internal Network Address, click Next
  • image
  • Click Next
  • image
  • Click Install
  • image
  • This will take several minutes Window
  • image
  • Estimated Time Window
  • image
  • Installation Complete, click Finish
  • image

TMG Configuration

  • Click Configure Network Settings
  • image
  • Click Next
  • image 
  • Pick “Edge Firewall”, click Next
  • image
  • Select your INTERNAL NIC, click Next
  • image
  • You will receive an error like the one below
  • image
  • This is because 0.0.0.0 is not a valid gateway – you should remove the gateway and leave it blank!
  • The correct settings should look like the one below, click Next
  • image
  • Verify that External NIC is picked on next screen, click NEXT
  • image
  • If you were connecting to an ISP – you can pick “Obtain an IP address automatically”
  • Click Finish
  • image
  • Click “Configure System Settings”
  • image
  • Click Next
  • image
  • Check all settings, click Next
  • image
  • Click Finish
  • image
  • Click “Define Deployment Options”
  • image
  • Click Next
  • image
  • Click “Use the Microsoft Update…” click Next
  • image
  • Click Enable URL Filtering, click Next
  • image
  • Leave Default, click Next
  • image
  • Check NO if you do not want to participate, click Next
  • image
  • Click None, then click Next
  • image
  • Click Finish
  • image
  • Click Close “Notice that the Run the Web Access wizard is checked”
  • image
  • Click Next
  • image
  • Leave “Yes, create…” default, then click Next
  • image
  • Edit any URL category required then click Next
  • image
  • Click Next on the URL Filter exception list
  • image
  • Leave the Malware Inspection Settings as default, click Next
  • image
  • Leave HTTPS traffic as default, click Next
  • image
  • Leave HTTPS Inspection page default, click Next
  • image
  • Type Domain Admin credentials so cert can be deployed, click Next
  • image
  • Disable Web Caching, click Next
  • image
  • Click Finish
  • image
 

Now that you have TMG setup – you will notice that the TMG server itself cannot access the internet.  If you go to any of the internal server (servers on the internal network of TMG – 10.1.1.0/24 in my lab) they also cannot access the internet.  Why is this happening?  The reason that you cannot access the internet is because all systems, including TMG, are using the Domain Controller, 10.1.1.10 for DNS lookups.  The domain controller will use root hints to resolve DNS Lookups.  Remember, TMG is a firewall, so we have to allow that type of traffic from internal servers out to the external world through TMG.  More specifically, we have to at least create an ACCESS RULE allowing the Domain Controller the ability to perform DNS Lookups.  Since all machines on the internal network have the Default Gateway pointing to the internal NIC of TMG, TMG is currently blocking that traffic.  HTTP access is not blocked from internal to external since we set that up already, its DNS that is being blocked.

How the heck do I know this? – The LOGS speak for themselves. 

Open up the Forefront TMG Console, click on Logs & Reports, click on Start Query (This will show you all traffic since we did not modify the filter, but that’s ok!

image

Connect to an internal server (I will connect to my Domain Controller for now), open up a web browser and visit any website.  Example: www.bing.com

Immediately after, go back to the TMG Console and click on Stop Query under the Logs & Reports screen.  At this point, you can search for the denied packets.  See below -

image  You see that the Domain Controller – 10.1.1.10 was denied outward on port 53.  Port 53 = DNS.

So, lets fix it – Lets create a rule that allows internal servers the ability to perform outbound DNS Lookups.

  • Right Click, Firewall Policy, New, Access Rule
  • image
  • Type: OUTBOUND_DNS
  • image
  • Click Next
  • Select “Allow”, & click Next
  • image 
  • Click Add to add a protocol
  • image
  • Expand Infrastructure, click DNS, click Add, click Close
  • image
  • Click Next
  • image
  • Click Add on the Access Source Screen
  • image
  • Expand Networks, click Internal, click Add, click Close
  • image
  • Click Next
  • image
  • Click Add on the Access Destination Screen
  • image
  • Expand Networks, click External, click Add, click Close
  • image
  • Click Next
  • image
  • Click Next
  • image
  • Click Finish
  • image
  • Click Apply
  • image
  • Type a Description, click Apply
  • image
  • Click OK
  • image
  • Wait at least 2 – 3 minutes for the configuration to take place
 

Now that we have added a rule for DNS lookups to be allowed outbound from the internal network, we can check internet access again.  Before we check access, lets turn on logging as we did before to see the “allowed” packets destined for port 53 “DNS”.

Open up the Forefront TMG Console, click on Logs & Reports, click on Start Query (This will show you all traffic since we did not modify the filter, but that’s ok!

image

Connect to an internal server (I will connect to my Domain Controller for now), open up a web browser and visit any website.  Example: www.bing.com

Immediately after, go back to the TMG Console and click on Stop Query under the Logs & Reports screen.  At this point, you can search for the denied packets.  See below -

image  Status: The Operations was completed successfully.  Rule: OUTBOUND_DNS

If you look a little further in the log, you will notice the allowed HTTP connection to www.bing.com

image

SUCCESS!!! – You now have a completed the installation of Forefront TMG Edge Firewall!!

Comments (1)
  1. Leao Braz says:

    Hi,

    Very nice, where the part 4…

    Thanks,

Comments are closed.

Skip to main content