Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 0 subscribers
  • Views 20522 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

TMG questions

FJ

hi there

has anyone managed to succesfully integrate a WS1100 with TMG in front of it?

We have a requirement where the TMG needs to be the first port of call for Client devices, and in the documentation it mentions that a TMG can be in front of a WS but so far have been unable to get working.

I have been in contact with Sophos support ( via email ) but they would prefer I don't use the TMG at all.

any help or advice would be appreciated.

:14361


This thread was automatically locked due to age.
Parents
  • 0

    Hi FJ,

    Sorry to hear you're having a few problems with this setup.

    Looking back at your previous post, are you still trying to use the Bridged deployment mode?

    /search?q= 13819

    The bridged deployment mode should be fairly simple to setup, as there should be no configuration changes required on the TMG.  The TMG will still use the same firewall/router as it's default gateway and the appliance will just sit in between and transparently filter the traffic.

    Alternatively, If you are using a 'Web Chaining' rule in TMG then there will be a little bit of setup required on the TMG.  Unfortunately Sophos support wouldn't be able to go too deep into the TMG configuration as it isn't our product.  However, the basics are:

    • The appliance would normally be in 'Explicit' mode
    • If you want the appliance to integrate with Active Directory, the TMG plugin should be installed on the TMG.  This can be downloaded from the appliance in 'Configuration > Network > Hostname'
    • If you want the appliance to integrate with Active Directory, you must enter the TMG IP  in 'Configuration > Network > Hostname' under 'Accept authentication from downstream ISA/TMG servers'
    • The TMG will need a web chaining rule configured to forward web traffic to the appliance as an upstream proxy on port 8080
    • Preferrably the appliance should not use the TMG as it's default gateway to prevent proxy loops.  The appliance should go straight out through the edge firewall/router
    • If the appliance has to use the TMG server as it's default gateway, it should not be part of the web-chaining rule to prevent a proxy loop
    • Consider whether you want to use caching on the TMG.  If you are caching pages you may get undesired results.  Users might get access to unwanted pages if they are already cached on the TMG.

    Obviously the exact instructions can vary depending on how the TMG is deployed - Is it running in an edge configuration, or is it within the LAN?

    I'd be happy to offer some more advice if you could let me know what mode you are considering, and what problems you've come across?

    Thanks,

    -Tom.

    :14375
Reply
  • 0

    Hi FJ,

    Sorry to hear you're having a few problems with this setup.

    Looking back at your previous post, are you still trying to use the Bridged deployment mode?

    /search?q= 13819

    The bridged deployment mode should be fairly simple to setup, as there should be no configuration changes required on the TMG.  The TMG will still use the same firewall/router as it's default gateway and the appliance will just sit in between and transparently filter the traffic.

    Alternatively, If you are using a 'Web Chaining' rule in TMG then there will be a little bit of setup required on the TMG.  Unfortunately Sophos support wouldn't be able to go too deep into the TMG configuration as it isn't our product.  However, the basics are:

    • The appliance would normally be in 'Explicit' mode
    • If you want the appliance to integrate with Active Directory, the TMG plugin should be installed on the TMG.  This can be downloaded from the appliance in 'Configuration > Network > Hostname'
    • If you want the appliance to integrate with Active Directory, you must enter the TMG IP  in 'Configuration > Network > Hostname' under 'Accept authentication from downstream ISA/TMG servers'
    • The TMG will need a web chaining rule configured to forward web traffic to the appliance as an upstream proxy on port 8080
    • Preferrably the appliance should not use the TMG as it's default gateway to prevent proxy loops.  The appliance should go straight out through the edge firewall/router
    • If the appliance has to use the TMG server as it's default gateway, it should not be part of the web-chaining rule to prevent a proxy loop
    • Consider whether you want to use caching on the TMG.  If you are caching pages you may get undesired results.  Users might get access to unwanted pages if they are already cached on the TMG.

    Obviously the exact instructions can vary depending on how the TMG is deployed - Is it running in an edge configuration, or is it within the LAN?

    I'd be happy to offer some more advice if you could let me know what mode you are considering, and what problems you've come across?

    Thanks,

    -Tom.

    :14375
Children
No Data
Unfiltered HTML