DMZ Design with Forefront TMG 2010

The DMZ or the Demilitarized Zone in a network refers to a segment of a network in which we place all the servers that need to be accessible from the internet. Theses servers could include anything such as IIS, Office Communications Server 2007, DNS Server, OWA or any other servers that need to be accessed by the outside users…

In my previous posts I talked about different implementations of a DMZ or perimeter network like a Three-Legged firewall and a back-to-back firewall scenario. In either of these scenarios, whether we have only one firewall in a three-legged design or we have two back-to-back firewalls in the other design, our DMZ is going to be placed behind only one firewall…

Some people call it logical because they believe DMZ is not going to be a very secure zone and even if it is, one firewall will do it.. But the question is what if there was a pretty critical server placed in the DMZ and we needed more than one layer of security in order to protect it? What if one of our firewalls which is placed in the front is a pretty old one and not capable of doing a very good logging and auditing of the kind of attacks on the DMZ?

In such cases, we need to come up with another design and combine the back-to-back and three-legged firewall designs to create something that satisfies our needs for better security of DMZ…

In this scenario let’s say both of our firewalls are Forefront TMG 2010 and one of them acts as the front-end firewall connecting from one side to the Internet and from the other side to the back-end TMG.

How about the back-end firewall? The back-end firewall is going to be a three-legged firewall with:

  • One leg connecting to the LAN
  • One leg connecting to the DMZ
  • One leg leg connecting to the front-end TMG

The picture below pretty well shows the type of design that I am talking about:

But what are the benefits of such a design:

  • The DMZ is placed behind two firewalls: The front-end TMG and the back-end TMG and if the user is going to reach the DMZ from the internet, he will have to pass through two firewalls
  • The LAN is also behind two firewalls and therefor better protected
  • If you need to do any kind of auditing for attacks on the DMZ and for any reason the front-end firewall is not capable of that (For example it is an old firewall and not very strong to take the load and also recognize all kinds of attacks), then the back-end firewall can take care of it…
  • Do you want to consider putting honeypots in your network? The network segment between the firewalls is the best place… The hackers expect the DMZ servers to be there.. right???

You want to learn more? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book:

To get more information about the book click on the book below:



5 thoughts on “DMZ Design with Forefront TMG 2010

  1. This post is really helpful – and helped me a lot to expalin me to my management.
    one suggestion – if you could give real life (Corporate) senarios that will be really great..

    • I am happy that it could help you my friend 🙂 For sure, I will try my best to write a real-life scenario but please let me know what you want to be included in the post exactly? Thanks…

  2. Hello, i think that i saw you visited my website thus i came to “return the favor”.I am attempting
    to find things to enhance my site!I suppose its ok to use some
    of your ideas!!

Leave a Reply

Your email address will not be published. Required fields are marked *