About access to internal resources

[This topic is pre-release documentation and is subject to change in future releases. Blank topics are included as placeholders.]

Internal clients may make requests to the Internet and to other internal networks. When configuring access to internal networks, note the following:

  • Internal clients should access hosts in their own network directly, and not through Forefront TMG.

  • Requests from internal clients for resources in other networks are usually controlled by access rules, but in some circumstances you may want to use server publishing rules as an alternative.

Direct access

Clients should not go through Forefront TMG in order to access resources on their own network. This is known as looping back and may cause performance reduction and DNS configuration issues when internal clients try to access internal resources through an external interface. To avoid this, use direct access for host-to-host communications on the same network. For more information, see Configuring direct access for Firewall clients, and Configuring direct access for Web proxy clients.

Using access rules and publishing rules

In some circumstances, you may want to allow internal clients in one network to access resources in a different internal network. For example, to allow clients in the corporate internal network to make requests for resources in a perimeter network, and vice versa. Access rules can allow or deny traffic from the client source network to a different network, or server publishing rules can make a published server available to clients on a different network. When deciding whether to use a server publishing rule or access rule, consider the following:

  • Access rules allow or deny traffic. Server publishing rules only allow traffic.

  • Access rules allow traffic to multiple hosts. Server publishing rules only provide access to a single server.

  • An access rule can allow or deny multiple protocols. A server publishing rule can only publish a single protocol.

  • An access rule can only use outgoing protocols.

  • Port translation can be performed with server publishing, so that the rule publishes services on a different port than the actual service port.

  • Server publishing rules allow address translation in both directions, so that Forefront TMG hides both the address of the client from the server, and vice versa.

  • Some built-in application filters, such as the SMTP filter, are designed to work with server publishing rules, and not with access rules.

  • When you configure access rules or server publishing rules, the network relationship configured between source and destination networks specified in the rules affects how traffic is handled, and should be taken into account. For more information about how network relationships affect policy rules, see About network relationships and firewall policy.

Copyright © 2009 by Microsoft Corporation. All rights reserved.