Now that you have some background knowledge on the concept of a virtualized network edge, we will go a little bit deeper and in this post I will try to illustrate different scenarios where we put TMG in our network:
1- TMG as an Edge Firewall
An edge firewall is a firewall placed on the edge of the network connecting the LAN to the Internet and is capable of inspecting any traffic that enters or exits the network.
As it is shown in the illustration, we will install the TMG on a Guest VM on Hyper-V and will disconnect the parent OS from the internet.
We need to create two virtual NICs on the Guest VM. One of the virtual NICs is connected to the physical server’s NIC linked to the LAN and the other virtual NIC is connected to the physical server’s NIC linked to the Internet.
Notes: The connection between the virtual NIC and the physical NIC is established through a Virtual Switch on each side. So keep in mind that in this scenario we will need to have two virtual switches.
2- TMG as a Three-Legged Firewall
A three-legged firewall is a type of firewall that is connected to three different network segments namely LAN, DMZ (Perimeter Network) and the Internet.
As precisely depicted in the illustration, everything looks and is configured the same as when we had an edge TMG firewall with the only difference that we need to have a new and third Virtual NIC on the Guest VM running TMG which is connected to the DMZ section of the network.
There goes to scenario here:
- The DMZ is on the same Hyper-V Server. In this case we are going to have a specific virtual switch for our DMZ section. This switch is connected to the TMG on one side and to the virtual NICs of the Guest VMs from the other side. This way we can have a link between the TMG and the Guest VMs which are placed in DMZ.
- The DMZ is not on the same Hyper-V server and is on another server or servers. The picture below can describe things a little bit better. In this scenario we still have the DMZ virtual switch but this virtual switch is not straight connected to the other DMZ Guest VMs; instead it is connected to them through the physical NIC of the server.
Notes: I don’t explain more on this scenario to avoid confusion; because I believe the picture is clearly showing what I am trying to say.
3- TMG as a Back-to-Back Firewall
In this scenario we have two TMGs both installed on two different Guest VMs. One of them is playing the role ofa frontier firewall connected to the Internet through a Virtual Switch; and the other TMG is playing the role of aback-end firewall connected to the LAN through another Virtual Switch.
Both of these Guest VMs running TMG, from the other side, are connected to a DMZ Virtual Switch. This virtual switch is also connected to the other VMs in the DMZ.
Notes: Again like the previous scenario, the DMZ section could be either on the same Hyper-V Server or on another server or servers. It totally depends on your design.
Here I just talked about the design and not the configuration on the TMG and VMs. Basically there are a number of things that need to be configured correctly if you want to get these scenarios up and running. In the next and most probably the last post of this series, I will talk about the configuration with all the details.
Some months ago I also had a deep dive session in Microsoft Virtualization and Security Summit 2010 and it was on deploying TMG on a virtualized environment. Below you can see my presentation slides shared for your use.
You want to learn more about this topic? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book:
To get more information about the book click on the book below:
Wish you all the best