This topic is designed to help you plan and select the Forefront TMG network topology that is most suitable for your existing network topology, and for your network security requirements. It describes the topologies that are available for selection when you set up the Forefront TMG network, and the implementation considerations for each topology.
 Note: |
|---|
| Forefront TMG network refers to the physical or logical network to which the computer on which Forefront TMG is installed belongs. For information about using Forefront TMG to create virtual private networks, see Planning for virtual private networks. |
The following Forefront TMG network topologies are available:
- Edge firewall—In this topology,
Forefront TMG is located at the network edge, where it serves as
the organization’s edge firewall, and is connected to two networks:
the internal network, and the external network (usually the
Internet).
- 3-Leg perimeter—This topology
implements a perimeter network. Forefront TMG is connected to at
least three physical networks: the internal network, one or more
perimeter networks, and the external network.
- Back firewall—In this topology,
Forefront TMG is located at the network’s back-end. Use this
topology when another network element, such as a perimeter network
or an edge security device, is located between Forefront TMG and
the external network. Forefront TMG is connected to the internal
network and to the network element in front of it.
- Single network adapter—This topology
enables limited Forefront TMG functionality. In this topology,
Forefront TMG is connected to one network only, either the internal
network or a perimeter network. Typically, you would use this
configuration when Forefront TMG is located in the internal
corporate network or in a perimeter network, and another firewall
is located at the edge, protecting corporate resources from the
Internet. For more information, see About single network
adapter topology.
Forefront TMG may be connected to the local area network (LAN) directly, or through a router or another firewall. If you are connecting to Forefront TMG through a firewall for remote management, or as a Forefront TMG protected client, note the following:
- Remote management, such as, from an
Enterprise Management Server (EMS) computer, requires the use of
remote procedure call (RPC) for remote server status and service
status monitoring.
- The path from Forefront TMG clients to
Forefront TMG must not be port-filtered.
- The ports required at the intervening
firewall are described in the article Service overview and network port requirements for the
Windows Server system
(http://go.microsoft.com/fwlink/?LinkId=156514)