About single network adapter limitations

Microsoft Forefront Threat Management Gateway can be installed on a computer with a single network adapter. Typically, you use this configuration when Forefront TMG is located in the internal corporate network or in a perimeter network and another firewall is located at the edge, protecting corporate resources from the Internet.

When you install Forefront TMG on a computer with a single network adapter, Forefront TMG is only aware of two networks:

  • Local Host network that represents the Forefront TMG computer itself.
  • Internal network which includes all unicast IP addresses that are not part of the Local Host network.

In this configuration, when an internal client browses the Internet, Forefront TMG sees the source and destination addresses of the Web request as belonging to the Internal network. There is no concept of an external network. The Microsoft Firewall service and application filters operate only in the context of the Local Host network. (Forefront TMG protects itself in all scenarios.) Because the Firewall service and application filters operate in the context of the Local Host network, you can use access rules to allow non-Web protocols through theForefront TMG server.

Installing and configuring

During installation with a single network adapter, all IP address ranges should be configured for the Internal network, excluding the following:

  • (Local Host)
  • (multicast)

Following installation, run the Getting Started Wizard and select the single network adapter template.

Note that configuring a network adapter to use two IP addresses or to use a second network adapter that is disabled is not supported.

Supported scenarios

The following scenarios are supported when running Forefront TMG with a single adapter:

  • Forward Web Proxy requests using HTTP, HTTPS, or FTP for downloads.
  • Cache Web content for use by clients on the corporate network.
  • Web publishing to protect published Web or FTP servers.
  • Microsoft Office Outlook Web Access 2007, ActiveSync®, and remote procedure call (RPC) over HTTP publishing.
  • Remote client VPN access.

Forward Web proxy and caching

Forefront TMG can be deployed as a forward proxy and caching server. In this configuration, Forefront TMG proxies requests from internal clients to remote networks, such as the Internet. If caching is enabled, Forefront TMG maintains a cache of frequently requested Internet objects in order to provide Web browser clients with optimized access. Note the following in this scenario:

  • Only Web Proxy requests are supported.
  • Access rules allowing client access through the Forefront TMG computer should be configured with source addresses that use only actual internal IP addresses. This is required because every IP address is considered part of the Internal network, except for the loop back address. The destination should specify either the Internal network or a specific address.
  • Web Proxy clients cannot access protocols other than HTTP and FTP download.
  • To provide access to the Internet on the Forefront TMG computer itself, you must either modify system policy rules, or create access rules from the Local Host network to the Internal network. Even in a single network adapter configuration Forefront TMG protects itself from the Internal network, and rules are needed to control traffic between the two networks.
  • When Forefront TMG has a single network adapter and is located behind another edge firewall, caching works as follows: Web Proxy clients send URL requests to the Forefront TMG server. Forefront TMG checks whether the Web object can be served from the cache. If the page is not cached or has expired, Forefront TMG makes an Internet request through the edge firewall. The edge firewall handles the Forefront TMG request in accordance with its access settings. If the request is allowed, the object is returned through the edge firewall to Forefront TMG, which places the object into its cache in accordance with cache settings and forwards the cached object to the Web Proxy client.

Web publishing and Outlook Web Access publishing

You can publish Web servers and Outlook Web Access servers over HTTP or HTTPS. You can authenticate incoming requests and chain requests to upstream proxies. When you publish Outlook Web Access on a single network adapter computer, the following Outlook Web Access features are available:

  • Standard Outlook Web Access features such as sending and receiving e-mail, calendars, and other features
  • Exchange Outlook Mobile Access, ActiveSync, and Outlook RPC over HTTP
  • Forms-based authentication

Unsupported scenarios

There are a number of feature limitations in a single network adapter configuration:

  • Application layer inspection—Application-level filtering does not function, except for the Web proxy filter for HTTP, HTTPS, and FTP over HTTP traffic.
  • Server publishing—Server publishing is not supported. Because there is no separation of Internal and External networks, Forefront TMG cannot provide the NAT functionality required in a server publishing scenario.
  • Firewall clients—The Firewall Client application handles requests from Winsock applications that use the Firewall service. In a single network adapter environment, this service is only available in the context of the Local Host network (protecting the Forefront TMG computer), and Firewall client requests are not supported.
  • SecureNAT clients—SecureNAT clients use Forefront TMG as a router to the Internet, and requests are handled by the Firewall service. In a single network adapter environment, this service is only available in the context of the Local Host network (protecting the Forefront TMG computer), and SecureNAT client requests are not supported.
  • Virtual private networking (VPN)—Site-to-site VPNs are not supported in a single network adapter scenario.