Microsoft Forefront Threat Management Gateway (TMG) implements the concept of multi-networking. You can use the multi-networking features of Forefront TMG to protect your network against internal and external security threats, by limiting communication between clients even within your own organization. You can group computers in your internal network into network sets, and configure an access policy specific to each network set. You can also define relationships between the various networks, thereby determining how computers on each network communicate with each other, by way of Forefront TMG. For information about how networks are implemented on the enterprise level, see Enterprise Networks.

In a common publishing scenario, you might want to isolate the published servers on their own network, such as a perimeter network (also known as a DMZ, demilitarized zone, or screened subnet). Forefront TMG's multi-networking functionality supports such a scenario, so that you can configure how clients on the corporate network access the perimeter network, and how external clients access the network. You can configure the relationships between the various networks, defining different access policies between each network.

In the figure, the Forefront TMG computer connects between the Internet (external network) and the internal network, the corporate network, and the perimeter network. Each network adapter on the Forefront TMG computer is connected to one of the networks. Using Forefront TMG, you can configure different access policies between any pair of networks. That is, you can specify whether and how computers on each of the networks communicate with each other. Each network is isolated from the other, and is only made accessible when you configure rules to allow communication between networks.

You can use the multi-networking features of Forefront TMG to identify, configure, and define the connectivity and relationships between computers, both internal and external to your organization. To configure the multi-networking environment, you identify networks (FPCNetwork objects), optionally grouping them into network sets (FPCNetworkSets collections), and define relationships between the networks.

After you define networks, you create network rules (FPCNetworkRule objects), which determine whether and how the networks are connected. For both NAT and routing relationships, traffic can be permitted by configuring policy rules. Publishing rules can be configured to allow traffic from the destination network to the source network.

Send comments about this topic to Microsoft

Build date: 11/30/2009

© 2008 Microsoft Corporation. All rights reserved.