Internal and perimeter network properties

Applies To: Forefront Threat Management Gateway (TMG)

Default Internal Network

The default Internal network represents the main corporate network of protected IP address ranges. It is configured during Setup either manually, or by selecting an adapter to construct the network based on the Windows routing table. It can be modified following Setup using the Getting Started Wizard, but not deleted.

By default, Forefront TMG protects the Internal network from all networks except the Local Host network that represents the Forefront TMG computer. Forefront TMG system policy rules assume that default network services such as DNS servers, RADIUS servers, and domain controllers are located in the Internal network. For more information, see About system policy.

Perimeter Network

If you configure the Forefront TMG computer with a third network adapter, a perimeter network is created. The perimeter network is often used to segment a corporate network to protect resources, such as critical network services, or to isolate corporate servers published to external users. When you create a perimeter network, you can configure it with the same settings as those you can configure on the default Internal network.

Network properties

The Internal network or predefined perimeter networks have a number of properties associated with them. You can also configure these properties for custom networks you create. The properties are described in the following table.

Property Details


IP address ranges included in the network.

Web Proxy

Indicates whether the network listens for HTTP requests from the Web Proxy clients, and indicates the type of authentication such clients will use for requests. Note that the Enable SSL setting is only for use in a Web proxy chaining scenario. You cannot configure Web Proxy clients to connect to Forefront TMG using Secure Sockets Layer (SSL). On the Local Host network, set Web proxy properties to configure the Web proxy listener for use by applications running on the Forefront TMG network. The options you specify on this property page are reflected in the configuration script that set Web browser settings when Web Proxy clients are configured to use an automatic script.

Firewall Client

Indicates whether the network listens for requests from Firewall clients on port 1745, and specifies how the Web browser on Firewall client computers detects browser settings. Clients can be enabled to detect browser settings using a Web Proxy Automatic Discovery (WPAD) entry in Dynamic Host Configuration Protocol (DHCP) or Domain Name System (DNS), or to use an automatic configuration script in a specific location. The settings are applied when Firewall client computers are installed. If you later make changes to Firewall client configuration settings on the Forefront TMG computer, Forefront TMG automatically updates configuration settings each time that Firewall Client is restarted, each time that Detect Now or Test Server is clicked on the General tab in the Microsoft Firewall Client dialog box, and every six hours after the previous refresh. Settings are applied to all users on the Firewall client computer.

Auto Discovery

Indicates the port number on which the Internal network adapter listens for WPAD requests from Web Proxy clients. By default, Forefront TMG publishes automatic discovery information on port 80.

Web Browser

Indicates the browser settings for Web Proxy clients in the network. Configuration settings include specifying a backup route, bypassing the proxy for computers in the local network, and using direct access that bypasses the Web proxy. Computers acting as Web Proxy clients that are enabled for automatic detection or use an automatic configuration script will use the settings specified on this tab. For direct access, you can specify that the Web proxy should be bypassed for the domain list specified on the Domains tab, or specify a list of direct access sites. For more information, see Bypassing Forefront TMG for Web proxy client requests.


When the setting Directly access computers specified in the Domain tab is enabled on the Web Browser tab, computers acting as Web Proxy clients will connect directly to domains specified on this tab, bypassing the Web proxy.