DMZ Design with Forefront TMG 2010

The DMZ or the Demilitarized Zone in a network refers to a segment of a network in which we place all the servers that need to be accessible from the internet. Theses servers could include anything such as IIS, Office Communications Server 2007, DNS Server, OWA or any other servers that need to be accessed by the outside users…

In my previous posts I talked about different implementations of a DMZ or perimeter network like a Three-Legged firewall and a back-to-back firewall scenario. In either of these scenarios, whether we have only one firewall in a three-legged design or we have two back-to-back firewalls in the other design, our DMZ is going to be placed behind only one firewall…

Some people call it logical because they believe DMZ is not going to be a very secure zone and even if it is, one firewall will do it.. But the question is what if there was a pretty critical server placed in the DMZ and we needed more than one layer of security in order to protect it? What if one of our firewalls which is placed in the front is a pretty old one and not capable of doing a very good logging and auditing of the kind of attacks on the DMZ?

In such cases, we need to come up with another design and combine the back-to-back and three-legged firewall designs to create something that satisfies our needs for better security of DMZ…

In this scenario let’s say both of our firewalls are Forefront TMG 2010 and one of them acts as the front-end firewall connecting from one side to the Internet and from the other side to the back-end TMG.

How about the back-end firewall? The back-end firewall is going to be a three-legged firewall with:

  • One leg connecting to the LAN
  • One leg connecting to the DMZ
  • One leg leg connecting to the front-end TMG

The picture below pretty well shows the type of design that I am talking about:

But what are the benefits of such a design:

  • The DMZ is placed behind two firewalls: The front-end TMG and the back-end TMG and if the user is going to reach the DMZ from the internet, he will have to pass through two firewalls
  • The LAN is also behind two firewalls and therefor better protected
  • If you need to do any kind of auditing for attacks on the DMZ and for any reason the front-end firewall is not capable of that (For example it is an old firewall and not very strong to take the load and also recognize all kinds of attacks), then the back-end firewall can take care of it…
  • Do you want to consider putting honeypots in your network? The network segment between the firewalls is the best place… The hackers expect the DMZ servers to be there.. right???

You want to learn more? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book:

To get more information about the book click on the book below:



Deploying the network edge on a virtual environment – Part 3

Now that you have some background knowledge on the concept of a virtualized network edge, we will go a little bit deeper and in this post I will try to illustrate different scenarios where we put TMG in our network:

1- TMG as an Edge Firewall

An edge firewall is a firewall placed on the edge of the network connecting the LAN to the Internet and is capable of inspecting any traffic that enters or exits the network.

As it is shown in the illustration, we will install the TMG on a Guest VM on Hyper-V and will disconnect the parent OS from the internet.

We need to create two virtual NICs on the Guest VM. One of the virtual NICs is connected to the physical server’s NIC linked to the LAN and the other virtual NIC is connected to the physical server’s NIC linked to the Internet.

Notes: The connection between the virtual NIC and the physical NIC is established through a Virtual Switch on each side. So keep in mind that in this scenario we will need to have two virtual switches.

2- TMG as a Three-Legged Firewall

A three-legged firewall is a type of firewall that is connected to three different network segments namely LAN, DMZ (Perimeter Network) and the Internet.

As precisely depicted in the illustration, everything looks and is configured the same as when we had an edge TMG firewall with the only difference that we need to have a new and third Virtual NIC on the Guest VM running TMG which is connected to the DMZ section of the network.

There goes to scenario here:

  • The DMZ is on the same Hyper-V Server. In this case we are going to have a specific virtual switch for our DMZ section. This switch is connected to the TMG on one side and to the virtual NICs of the Guest VMs from the other side. This way we can have a link between the TMG and the Guest VMs which are placed in DMZ.
  • The DMZ is not on the same Hyper-V server and is on another server or servers. The picture below can describe things a little bit better. In this scenario we still have the DMZ virtual switch but this virtual switch is not straight connected to the other DMZ Guest VMs; instead it is connected to them through the physical NIC of the server.

Notes: I don’t explain more on this scenario to avoid confusion; because I believe the picture is clearly showing what I am trying to say.

3- TMG as a Back-to-Back Firewall

In this scenario we have two TMGs both installed on two different Guest VMs. One of them is playing the role ofa frontier firewall connected to the Internet through a Virtual Switch; and the other TMG is playing the role of aback-end firewall connected to the LAN through another Virtual Switch.

Both of these Guest VMs running TMG, from the other side, are connected to a DMZ Virtual Switch. This virtual switch is also connected to the other VMs in the DMZ.

Notes: Again like the previous scenario, the DMZ section could be either on the same Hyper-V Server or on another server or servers. It totally depends on your design.

Here I just talked about the design and not the configuration on the TMG and VMs. Basically there are a number of things that need to be configured correctly if you want to get these scenarios up and running. In the next and most probably the last post of this series, I will talk about the configuration with all the details.

Some months ago I also had a deep dive session in Microsoft Virtualization and Security Summit 2010 and it was on deploying TMG on a virtualized environment. Below you can see my presentation slides shared for your use.

You want to learn more about this topic? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book:

To get more information about the book click on the book below:


Wish you all the best