+ Post New Thread
Results 1 to 5 of 5
Windows Server 2008 R2 Thread, [Forefront TMG]Restricting network access in Technical; I am on holiday at present but I am sure I will need to set this up when I get ...
  1. #1

    Join Date
    Mar 2010
    Location
    Surrey, UK
    Posts
    120
    Thank Post
    20
    Thanked 3 Times in 3 Posts
    Rep Power
    9

    [Forefront TMG]Restricting network access

    I am on holiday at present but I am sure I will need to set this up when I get back. So I'm doing some advance homework.

    I am looking to restrict network access to certain logins, in particular, restricting internet access.

    Our new Windows network is using Forefront TMG as firewall. It is not part of the domain but does have access to a RADIUS server - currently for VPN use.

    Our new clients are Windows 7 but many teachers machines will be Win XP. I know from previous experience that some of the old school XP machines could not run SP3 (or was it SP2?) due to video card issues, so lets assume, any solution should work for Windows XP SP1.

    Currently the school, office and IT LANs route through a Windows 2008R2 server using RRAS LAN routing. The Forefront TMG firewall is on the IT LAN, but out of the active server domain. I see from the Forefront documentation that creating access groups on a per user basis will slow things down - plus, I assume that authentication will be an issue with Forefront being in DMZ. So I assume that using TMG to filter on per user basis is not a solution.

    I guess that I can create a per user group GPO that sets the IE proxy to something benign (localhost?) but I would rather have a network based solution.

    But the LAN routing Windows 2008R2 machine seems a good central point for restricting network usage. Is there anything that can possibly be done here, maybe with RRAS, NPS, IPSEC or the firewall?

    I think what the teachers will be asking for is a classroom PC that when logged in with a generic 'Classroom' username within little or no password protection, will not provide any network access for the user, except to the intranet for email and taking the register. Just like it use to be in the old days, when the school had no network security other than disconnecting it from the LAN and teachers didn't use email or take the register electronically.

    Thanks in advance

    Ian
    Last edited by ianh64; 15th August 2010 at 04:46 PM.

  2. #2
    bio
    bio is offline
    bio's Avatar
    Join Date
    Apr 2008
    Location
    netherlands
    Posts
    520
    Thank Post
    16
    Thanked 130 Times in 102 Posts
    Rep Power
    37
    If I where you i would'nt make it any tougher then it is. I don't see any problem by putting an TMG server into the domain. (check out the back-to-back TMG solution) it will unlock those great features what TMG is entended to do. Offcourse it will cost some performance but it will be no problem at all if you have the right hardware or VM specs. so no ipsec (that means PKI) difficulties and knowledge required.

    bio..

  3. #3


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,448
    Thank Post
    865
    Thanked 839 Times in 662 Posts
    Rep Power
    194
    Yeah - you want whatever box you're using for web filtering (and this sounds like a web filtering job to me) to be part of your domain, useful on many levels.

  4. #4

    Join Date
    Mar 2010
    Location
    Surrey, UK
    Posts
    120
    Thank Post
    20
    Thanked 3 Times in 3 Posts
    Rep Power
    9
    Thanks for the info. Any other suggestions? No funds available for an additional 2 processor license (even with educational pricing) of TMG to put in a back firewall.

    What about moving the edge firewall back into the Domain? Too risky? It's supporting Exchange Edge Server/Forefront for Exchange Server and TMG. It was a design decision to put it on its own and took some effort to do and bringing it back into Domain is not without risk although thinking of moving it from virtual machine to an inexpensive machine so there will be some fallback if it doesn't work right from the box now test network is now production network.

    Or other options?

  5. #5

    Join Date
    Mar 2010
    Location
    Surrey, UK
    Posts
    120
    Thank Post
    20
    Thanked 3 Times in 3 Posts
    Rep Power
    9
    Thanks for the suggestions.

    Have decided to purchase a hardware firewall for edge protection and move Forefront TMG back into the domain and probably run with the TMG client. This will give us edge firewall protection without the expense of additional TMG licenses and the ability if needed for user authentication and filtering in TMG.

SHARE:
+ Post New Thread

Similar Threads

  1. Wireless and ISA/Forefront TMG Server
    By Maxell in forum Hardware
    Replies: 0
    Last Post: 10th August 2010, 10:23 AM
  2. Replies: 5
    Last Post: 23rd June 2010, 10:40 PM
  3. Forefront TMG Default Gateway
    By teejay in forum Internet Related/Filtering/Firewall
    Replies: 4
    Last Post: 26th January 2010, 02:34 PM
  4. anyone using forefront TMG live yet?
    By HMCTech in forum Windows Server 2008
    Replies: 2
    Last Post: 9th October 2009, 07:40 AM
  5. Forefront TMG (Beta) and Server 2008?
    By Zimmer in forum Windows Server 2008
    Replies: 2
    Last Post: 19th January 2009, 02:00 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •