کمک در طراحی و راه اندازی یک شبکه و استفاده از Microsoft ISA Server & TMG

[ibd_iran]

با سلام خدمت کلیه دوستان متخصص در زمینه Microsoft ISA Server & TMG&NETWORK
من در حال راه اندازی یک شبکه هستم که این شبکه 30 تا کلاینت داره که میخواهند از طریق شبکه به اینترنت دسترسی داشته باشند . سناریو موجود که داریم استفاده می کنیم شرح میدم که به محیط شبکه که دارم برای آن طراحی جدید می کنم آشنا شوید و در سناریو جدید که در حال طراحی و پیاده سازی هستم ، من را یاری کنید تا این شبکه رو طراحی درست و صحیح کنم و آن را پیاده سازی کنم.
(در ضمن من در شبکه مبتدی هستم و تازه وارد یادگیری شبکه شدم خواهشمند هستم راهنمایی کلی نکنید چون من سر در نمی یارم اگر ممکن کامل توضیح دهید یا به منبع که می دانید کامل است ارجاع دهید که من مطالعه کنم چون راهنمایی کلی برای افراد هست که بلد هستند و فقط یک راهنمایی کوچک می تواند مشکل آنها را حل کنه ولی من تازه شروع کردم از Microsoft ISA Server & TMG و به محیط و کاربردهای آن آشنایی ندارم) فکر می کنم اگر این بصورت کامل جلو ببریم در آخر بهترین راهنما برای افردا مبتدی مثل من میشود که میخواهند از Microsoft ISA Server & TMG در شبکه استفاده کنند. چون بر اساس قواعد و اصول میخواهیم جلو بریم که هر کسی این مطلب بخواند در پایان کلی چیز یاد بگیرد .
مرحله یک معرفی محیط شبکه که موجود داریم و میخواهیم برای آن طراحی جدید انجام دهیم:
سناریو موجود در این شبکه که استفاده می شود:
یک) اینترنت ورودی به سازمان از طریق دو خط اینترنت ADSL سرعت بالا تامین می شود. دو تا مودم هستند که به اینترنت وصل هستند آی پی مودم یک ip:192.168.10.1 آی پی مودم دو ip:192.168.10.2 روی هر دو مودم NAT فعال هست.مارک مودم ها netgear DGN2000
دو) شبکه از نوع Workgroup هست . و ازNAT Service خود مودم های برای توزیع اینترنت در شبکه استفاده شده است.(هر کسی هر کاری که می خواهد تو شبکه می کنه ایران دیگه تا یک کم آزادی بدهی کلی سوء استفاده می کنند)
سه) کلیه شبکه به صورت دستی آی پی داده شد است . و برای بعضی ها از خط شماره یک آی پی default gateway و dns تعریف شده و برای بعضی های دیگر از خط شماره دو تعریف شده است .تا سرعت در این دو خط تقسیم شود.
هر 15 تا کاربر بر روی یک خط هستند 15 تا دیگه بر روی خط دیگه . رنج آی پی ها کلی 192.168.10.1 تا 192.168.10.32 که دو تا اول مربوط به مودم ها هستند و بقی روی سیستم ها تنظیم شده اند.
چهار) ویندوز های کاربران هم XP داریم و هم WIN7 کارمندهای قدیمی با XP کار می کنند کارمند های جدید با سون چون کارمند های قدیمی پیر و پاتال هستند از یادگیری سون خودداری می کنند پس نمی توانیم همه ویندوز ها رو سون کنیم. این یک مشکل هست.. چون همه سیستم عامل ها یک ورژن نیستند.و به روز رسانی سیستم ها کمی سخت شده باید هم XP آپدیت کنم و هم سون باید حواسم به آپدیدت هر دو باشه
خوب الان سیاست سازمان عوض شده و مدیران می خواهند شبکه SERVER_BASE شود و اینترنت کنترل کامل بشود و هر کسی یک مقدار خاص اجازه دانلود داشته باشه و از نظر امنیتی کنترل کامل باشه.
خواسته های جدید مدیران :
یک) کنترل پهنایی باند مصرف هر کاربر ( اجازه بیشتر از ( 10 KB/s ندهد یعنی اگر کاربر حتی برنامه مثل IDM نصب کند بیشتر از 10 کیلو بایت بر ثانیه نتواند دانلود داشته باشه.و کابران مدیر 25KB/s باشند
دو) کنترل حجم دانلود هر کاربر(به بعضی از کاربران محدویت حجم دانلود داده شود)
سه) فیلتر کردن بعضی از سایت ها که خارج از سیاست سازمان هست از نظر محتوا و بعضی از کلمات(این کار خود مودم netgear انجام می دهد ولی دقیق نیست)
چهار ) اجازه ندادن به VPN وصل شدن کاربران به اینترنت فیلتر مخابرات عبور نکنند منظور این هست (از داخل به بیرون نشود VPNاستفاده کرد از این وی پی ان ها فیلتر شکن موجود منظور هست اجازه استفاده ندیم به کاربران داخلی.)

پنج ) جلوگیری از دانلود بعضی از پسوند ها صوتی مثل MP3 و پسوند های فیلم مثل AVI و...
که همه این خواسته ها مربوط به Microsoft ISA Server & TMG می شود البته چیزی که من تصور می کنم درست غلط بودن تصور منو دوستان بگویند.
سناریو جدید من این طور طراحی کردم که :
یک) شبکه از نوع Workgroup به شبکه از نوع Domain عوض کنیم که برای این کار از ویندوز 2008 سرور R2 x64 استفاده بشود
دو) از سرویس های DNS و DHCP استفاده شود . تا آپی ها از شکل دستی به صورت اتوماتیک تنظیم شود.
سه) استفاده از user-defined classes ها درDHCP برای تقسیم بندی کاربران برای استفاده از خط های ADSL و بالانس کردن کاربران بر روی دو خط موجود
چهار) استفاده از سرویس ServiceNAT برای توزیع اینترنت در شبکه ( البته من نمی دانم NAT Service باید مودم ها انجام بدهند یا سرویس ServiceRAS ویندوز انجام بده یا خود Microsoft ISA Server & TMG کدام روش بهتر می باشد دوستان راهنمایی کنند الان NAT Service بر روی مودم ها فعال می باشد و ما فقط آی پی مودم ها برای default gateway و DNS کاربران تعریف می کنیم )
پنج ) استفاده از Microsoft ISA Server & TMG برای مدیریت اینترنت سازمان که از این قسمت من هیچ چیزی بلد نیستم و از دوستان راهنمایی میخواهم که بتوان کار ها که در قسمت خواسته های جدید ذکر شد انجام دهم
تا قسمت چهار را توانستم انجام بدهم وتست کنم و جواب بگیرم .
ولی برای قسمت پنج که نصب TMG بود انجام دادم و با کلی مشکل روبرو شدم که بعضی ها شو تو همین سایت پیدا کردم و حل کردم .. مشکل ها که تا اینجا کار پیدا کردم به ترتیب نوشتم تا دیگر دوستان بعداً این مطلب مطالعه می کنند اگر با این مشکل ها روبرو شدن بتوان آنها را حل کنند .
مشکل ها :
یک) جلوگیری کردن TMG یا ISA از سرویس DHCP برای اختصاص آی پی به کلاینت ها
دو) جلوگیری از سرویس DNS در شبکه مشکلات مربوط به DNS در شبکه
این دو مشکل در نوشته های مهندس رضا علیخانی در قسمت Microsoft ISA Server & TMG موجود بود و تست کردم جواب گرفتم جا دارد از مهندس رضا علیخانی تشکر کنم که مطالب بسیار جالبی در سایت قرار دادند که مشکل بیشتر مدیر های شبکه می باشد. دوستان می توانند با مطالعه این مطالب نیاز های اولیه برای برای نصب و راه اندازی Microsoft ISA Server & TMG پیدا کنند .
خوب بریم سراغ اصل مطلب یعنی ادامه این سناریو جدید .. و سئوال های که برای من پیش آمده است .
دوستان خواهشمند هستم که اگر جواب سئوال می دهند صورت سئوال در اول جواب کپی کنند تا مطالب روشن باشه که جواب داده شد مربوط به کدام سئوال بوده است.
سئوالات پیش آمده برای من:
سئوال یک) برای نصب TMG و یا ISA باید بر روی کامیپوتر سرور TMG و یا ISA دو تا کارت شبکه تعریف شده باشد یا نه ... من این مطلب رو تو دو سه تا سایت خواندم که باید دو تا کارت شبکه داشتم باشم یک یکی به شبکه داخلی وصل باشه و دیگری به اینترنت یعنی شبکه خارجی.. حالا تو سناریو ما که دو تا مودم برای ورودی اینترنت داریم چی باید بکنم .. باید سه تا کارت شبکه داشته باشم یا نه و طریق پیکربندی این کارت شبکه ها چطور باشه و هر چه راهنمایی دیگر مربوط به این سئوال اگر بشود توضیح دهید.
سئوال دو) مفهوم internal network و external network روشن کنید یعنی چی این ها در TMG در سناریو ما که دو تا مودم، اینترنت وارد سازمان می کنند هر دو تا مودم external network محسوب می شوند یا نه ...من یک سری مطالب از سایت ها خواندم ولی این مفاهیم برایم خیلی خوب روشن نشده است.باید برای هر مودم یک کارت شبکه برروی سیستم قرار دهم و یک کارت شبکه سوم هم برای ارتباط داخلی قرار بدم که نقش internal network بازی کنه یا نه..
سئوال سه) این سه topology که ISA & TMG در سناریو های خود نوشته است توضیح دهید که هر کدام در کجا و در چه سناریو های می توانیم استفاده کنیم. این سئوال با مثل های که اگر کار کردید جواب دهید ممنون می شوم مثال بزنید که اگر بخواهیم چی کار های انجام دهیم از کدام استفاده توپولوژی استفاده کردید.

The following Forefront TMG network topologies are available:

• Edge firewall—In this topology, Forefront TMG is located at the network edge, where it serves as the organization’s edge firewall, and is connected to two networks: the internal network, and the external network (usually the Internet).
• 3-Leg perimeter—This topology implements a perimeter network. Forefront TMG is connected to at least three physical networks: the internal network, one or more perimeter networks, and the external network.
• Back firewall—In this topology, Forefront TMG is located at the network’s back-end. Use this topology when another network element, such as a perimeter network or an edge security device, is located between Forefront TMG and the external network. Forefront TMG is connected to the internal network and to the network element in front of it.
• Single network adapter—This topology enables limited Forefront TMG functionality. In this topology, Forefront TMG is connected to one network only, either the internal network or a perimeter network. Typically, you would use this configuration when Forefront TMG is located in the internal corporate network or in a perimeter network, and another firewall is located at the edge, protecting corporate resources from the Internet.

فعلاً تا همین جا باشه ادامه می دهیم

---

موضوعات مشابه:

• Query زدن مستقیم به پایگاه داده Microsoft SQL SERVER 2005 از طریق DialPlan ها در استریک
• How to migrate Microsoft ISA Server 2006 to Microsoft Forefront TMG
• راه اندازی DMZ با استفاده از ISA Server
• Microsoft has released Service Pack 1 for Microsoft Small Business Server 2003.
• Microsoft has released Service Pack 4 for Microsoft SQL Server 2000

---

[ibd_iran]

کسی پیدا نمی شود تا این سناریو پله پله جلو بریم ... دوستان اگر این شروع کنیم فکر کنم مشکل خیلی از دوستان مثل من حل شود..

[peyman13618]

پست خوبی زدید. من هم با چنین شبکه و مشکلاتی روبرو هستم. اگه یه تاپیک اینجوری تکمیل بشه بهتر از اینه که تاپیک های پراکنده از یک موضوع پخش باشه. من هم از دوستان خواهش می کنم اگه می تونند همین جا این سناریو رو تکمیل کنند

[zamoova]

سناریویه خوبیه ، ولی باور کنین هرچی جولوتر میریم تو نوشته ها ،
نوشته های اول بحث ، از ذهن خارج میشه .

پیشنهاد میدم ،کل بحث رو به شبکه LAN ، اینترنت ، کانفیگ اولیه و نهایی ، ارتباط منطقی شبکه
تقسیم کنید .

[p_zamanian]

سلام دوست گرامی


امیدوارم در حل مشکل و آشنایی شما با TMG کمکی کرده باشم

اگر جواب جامع نیست به بزرگواری خود ببخشید.

خوب نظر بنده اینه که قبل از پیاده سازی یک دید کلی بدست بیاورید (فیلم اموزشی سریعتره)

چون ممکن هست به کمک دوستان سرویس راه اندازی بشه ولی رفع اشکال و ایجاد تغییرات مشکل ساز میشه

در هر صورت در مورد سوال اول مراحل قدم به قدم رو ببینید کمک کننده هست.

سئوال یک) برای نصب TMG و یا ISA باید بر روی کامیپوتر سرور TMG و یا ISA دو تا کارت شبکه تعریف شده باشد یا نه ... من این مطلب رو تو دو سه تا سایت خواندم که باید دو تا کارت شبکه داشتم باشم یک یکی به شبکه داخلی وصل باشه و دیگری به اینترنت یعنی شبکه خارجی.. حالا تو سناریو ما که دو تا مودم برای ورودی اینترنت داریم چی باید بکنم .. باید سه تا کارت شبکه داشته باشم یا نه و طریق پیکربندی این کارت شبکه ها چطور باشه و هر چه راهنمایی دیگر مربوط به این سئوال اگر بشود توضیح دهید.

دو کارت شبکه و Edge firewallراه حل خوبیه

Planning for Internet service provider high availability


Planning for Internet service provider high availability


Exploring ISP Redundancy in Forefront Threat Management Gateway (TMG) 2010

Introduction

One of the many new features in TMG that has long been requested by ISA firewall administrators is its ability to support multiple external network connections. ISP Redundancy (ISP-R) now provides this capability. With support for two unique ISPs (or more accurately, external network connections), we can now have fault tolerance and redundancy for our Internet or WAN connections. In this article we will explore the ISP-R feature in detail, look at the different operating modes, explain the load balancing algorithm, and investigate the dead link detection process. We will also discuss various deployment scenarios and considerations to be made when designing and implementing ISP-R.
Operating Modes

ISP-R in TMG has two operating modes – Load Balancing and Failover. In Load Balancing mode, connections are balanced between two external networks evenly (by default) or unevenly (configurable by the administrator). If either external connection goes down, all communication will be sent over the remaining available connection. In Failover mode, one external network is configured as the primary connection, and the other is configured as the secondary connection. All communication is sent over the primary connection. If the primary connection goes down, all communication will be diverted to the secondary connection. Once the primary connection is available again, all communication will again be sent over the primary connection.
Preparing the Network Interfaces

ISP-R supports only two external network connections, and each connection must be on a unique subnet. For proper operation and optimum performance, both external network interfaces should be configured identically (pay special attention to your NIC driver’s offload settings). Ideally the network interface cards should be the same model.
Begin by giving each network interface a descriptive name (e.g. External_Sprint and External_Verizon). Configure the first external network interface with an IP address, subnet mask, and default gateway. If your TMG firewall is not a member of a domain and does not communicate with any internal network resources by name, you can specify your ISP’s DNS servers here. If your TMG firewall is a domain member, do not specify ISP DNS servers here (Internal DNS servers are configured on the internal network interface only). Once complete, click the Advanced… button.

Figure 1
Uncheck the box marked Automatic metric, and then enter 1 in the Interface metric: box.

Figure 2
Repeat these steps to configure the second external network interface, this time using an Interface metric: value of 2. Be sure to configure a default gateway on this second external interface. Generally this is not recommended, and Windows will complain when you attempt to do this.

Figure 3
In this scenario it is safe to disregard this warning and select Yes to proceed.
Note:
If your ISPs use DHCP to assign addresses, you will not be able to configure multiple default gateways. In this case you will create default persistent static routes before configuring ISP-R. In our example here, those routes would be configured as follows:
route add –p 0.0.0.0 mask 0.0.0.0 131.107.54.46
route add –p 0.0.0.0 mask 0.0.0.0 207.213.91.214
Configuring ISP Redundancy

Once the initial network interface configuration is complete, open the TMG management console and in the console tree highlight Networking, then select the ISP Redundancy tab.

Figure 4
In the Tasks pane, click Configure ISP Redundancy.

Figure 5
Choose Next, then select the ISP redundancy mode that meets your requirements. For demonstration purposes we’ll select the default option Load balancing with failover capability.

Figure 6
Specify the ISP connection name:, and then select a network adapter from the drop-down list.

Figure 7
Confirm that the gateway address and subnet mask are correct. If your TMG firewall is not a member of a domain and does not communicate with any internal network resources by name, you can specify your ISP’s DNS servers here. If your TMG firewall is a domain member, do not specify ISP DNS servers here (Internal DNS servers are configured on the internal network interface only).

Figure 8
In some cases there will be external servers that can only be reached via a specific external link. An example of this would be an ISP’s DNS server or mail server. If required, enter those servers here. You have the option to specify specific computers, computer sets, or address ranges.

Figure 9
Repeat the steps above for the second external network connection, and then select the distribution percentage by moving the slider accordingly. If both external links have the same bandwidth, you can safely leave this setting at 50%. If one link has more bandwidth than the other, configure that link to receive a greater percentage of traffic.

Figure 10
Choose Finish to complete the ISP-R configuration.

Figure 11
If you have configured DNS servers on the external network interfaces, be sure to create corresponding persistent static routes to ensure that requests for those resources are routed through the correct network interface.

Figure 12
In our example here, those routes would be configured as follows:
route add -p 131.107.54.200 mask 255.255.255.255 131.107.54.46
route add -p 207.213.91.214 mask 255.255.255.255 207.213.91.214
Once configured, the TMG management console will display information about each ISP connection, along with the currently configured redundancy mode.

Figure 13
After configuring ISP-R, to make configuration changes to a specific ISP connection you can right-click the connection and choose Properties.

Figure 14
Here you can change the name of the connection, alter the IP address/subnet mask information, enable or disable the connection, modify the load balancing ratio, or add, change, or remove dedicated servers.

Figure 15
Changing ISP-R Operating Mode

In this example we configured ISP-R for Load Balancing. If you wish to change the ISP-R operating mode, click Change ISP Redundancy Mode to Failover in the Tasks pane.

Figure 16
When switching from Load Balancing mode to Failover mode, be sure to edit the connection properties and select the appropriate connection role for the connection. Remember, in Failover mode all traffic will be sent over the primary external connection and the secondary connection will only be used if the primary connection is unavailable.

Figure 17
Monitoring ISP-R

To view the status of each ISP connection, highlight Dashboard in the console tree.

Figure 18
The status for each ISP link will be displayed in the Network Status frame.

Figure 19
If a link becomes unavailable, the connection status will display an alert.

Figure 20
Additionally you will see a Connections Unavailable alert under the Alerts tab.

Figure 21
When the connection is back online, TMG will raise an informative alert indicating that the connection is once again available.

Figure 22
There are a number of ISP-R specific alerts to keep the TMG firewall administrator informed of the status and health of their external network connections.

Figure 23
Load Balancing and Dead Link Detection

It is important to understand that ISP-R distributes connections, not load. The manner in which ISP-R decides which external interface to distribute traffic to is determined by performing a hash of the source IP address and the destination IP address. The result is a number between 0 and 100. If the result is below the percentage configured for the first ISP connection, TMG will use this connection. If it is not, TMG will use the other external connection. This ensures session affinity – all connections for a specific source/destination address pair will be delivered through the same external network interface. The hash is computed for each outgoing connection.
To determine the availability of a particular ISP connection, TMG performs dead link detection by randomly polling one of the thirteen Internet root DNS servers on TCP port 53 (when TMG is deployed as a back firewall, make certain that TCP port 53 is open to the Internet). If the selected root DNS server responds, TMG considers the connection available. If it does not respond, TMG will poll additional root DNS servers at one minute intervals. If no replies are received after three consecutive attempts, TMG considers the connection unavailable and raises an alert. Once TMG identifies a connection as unavailable, it will wait for five minutes before attempting to poll again. Once it receives a response, TMG will continue polling at one minute intervals. When three consecutive responses have been received, TMG will consider the connection available.
Deployment Scenarios

The choice of ISP-R operating modes is influenced primarily by the types of Internet or WAN connections you have. For example, if you have two similar Internet connections in terms of bandwidth, Load Balancing mode is a good choice. If you have one high bandwidth connection and one low bandwidth connection, then Failover mode would be more appropriate. Although this technology is called ‘ISP’ redundancy, it is not limited to Internet-connected links. ISP-R can be used to provide load balancing and failover for WAN links between a branch office and a main office (see considerations below).
Additional Considerations

There are a few considerations to be made when designing and deploying ISP-R.

• Works with NAT only – ISP-R will only provide load balancing and failover for traffic originating from TMG protected networks and destined for the default External network, and will only work when the network relationship is configured as NAT. If the network relationship is configured as route, ISP-R will not function. This is important because traffic originating from the TMG firewall itself will not be processed by ISP-R, as the network relationship between the Local Host network and the External network is route.
• E-NAT overrides ISP-R – For traffic processed by a network rule configured with Enhanced NAT (E-NAT), E-NAT takes precedence and will override any routing decisions made by ISP-R.
• Load balancing is not perfect – The load balancing mechanism in ISP-R does not distribute traffic perfectly. Since traffic is distributed by connections, not load, the potential exists for some connections to consume more bandwidth than others, skewing the distribution percentage.

When ISP-R is configured to provide load balancing or failover for branch office WAN connections, the default dead link detection mechanism may not be appropriate. If you recall, TMG will randomly poll Internet root DNS servers to verify connectivity. If, for example, the TMG firewall is configured to NAT traffic between a branch office and a main office and the main office Internet connection is unavailable, TMG will report both of its WAN connections as being unavailable, when in fact they are.
In some cases, branch office TMG firewalls may not have direct connectivity to the Internet, which will prevent TMG from polling Internet root DNS servers. In this branch office firewall scenario it would be better to poll services located directly on the other side of the WAN connection. To change the default link detection parameters and to make changes to polling frequency, please refer to this article []Welcome to Windows Live on the Forefront TMG product team blog.
Conclusion

ISP Redundancy is a valuable new feature in TMG that provides fault tolerance and redundancy for external network connections; for ISP connections in the case of an edge firewall deployment, or WAN links in a branch office firewall scenario. Load Balancing and Failover operating modes provide flexible configuration options to match any external network configuration, and verbose alerting capabilities keep the TMG firewall administrator informed on the external network connection status.


Exploring ISP Redundancy in Forefront Threat Management Gateway (TMG) 2010

[p_zamanian]

سئوال سه) این سه topology که ISA & TMG در سناریو های خود نوشته است توضیح دهید که هر کدام در کجا و در چه سناریو های می توانیم استفاده کنیم. این سئوال با مثل های که اگر کار کردید جواب دهید ممنون می شوم مثال بزنید که اگر بخواهیم چی کار های انجام دهیم از کدام استفاده توپولوژی استفاده کردید.

Planning Forefront TMG network topology
Published: November 15, 2009
Updated: February 1, 2011
Applies To: Forefront Threat Management Gateway (TMG)

This topic is designed to help you plan and select the Forefront TMG network topology that is most suitable for your existing network topology, and for your network security requirements. It describes the topologies that are available for selection when you set up the Forefront TMG network, and the implementation considerations for each topology.
Note: Forefront TMG network refers to the physical or logical network to which the computer on which Forefront TMG is installed belongs. For information about using Forefront TMG to create virtual private networks, see Planning for virtual private networks.

The following Forefront TMG network topologies are available:

• Edge firewall—In this topology, Forefront TMG is located at the network edge, where it serves as the organization’s edge firewall, and is connected to two networks: the internal network, and the external network (usually the Internet).
• 3-Leg perimeter—This topology implements a perimeter network. Forefront TMG is connected to at least three physical networks: the internal network, one or more perimeter networks, and the external network.
• Back firewall—In this topology, Forefront TMG is located at the network’s back-end. Use this topology when another network element, such as a perimeter network or an edge security device, is located between Forefront TMG and the external network. Forefront TMG is connected to the internal network and to the network element in front of it.
• Single network adapter—This topology enables limited Forefront TMG functionality. In this topology, Forefront TMG is connected to one network only, either the internal network or a perimeter network. Typically, you would use this configuration when Forefront TMG is located in the internal corporate network or in a perimeter network, and another firewall is located at the edge, protecting corporate resources from the Internet. For more information, see About single network adapter topology.

Forefront TMG may be connected to the local area network (LAN) directly, or through a router or another firewall. If you are connecting to Forefront TMG through a firewall for remote management, or as a Forefront TMG protected client, note the following:

• Remote management, such as, from an Enterprise Management Server (EMS) computer, requires the use of remote procedure call (RPC) for remote server status and service status monitoring.
• The path from Forefront TMG clients to Forefront TMG must not be port-filtered.
• The ports required at the intervening firewall are described in the article Service overview and network port requirements for the Windows Server system (Service overview and network port requirements for the Windows Server system)

Related Topics

Tasks

Configuring network settings

Concepts

Installation design guide for Forefront TMG

Planning Forefront TMG network topology

------------------------------------------------------------------------------------------------------------------------

Microsoft Forefront TMG – How to use TMG network templates

Forefront TMG uses the concept of multi networking. To define your network topology it is possible to create networks in Forefront TMG. After all necessary networks have been created; these networks must be brought in relationship between networks in form of network rules. Forefront TMG supports two types of network rules:
Route - A network rule from type Route establish a bidirectional network connection between two networks which routes the original IP addresses between these networks.
NAT - A network rule from type NAT (Network Address Translation) establishes a unidirectional network connection between two networks which masks IP addresses from the network segment with the IP address of the corresponding Forefront TMG network adapter.
After Networks and Network rules has been created, you must create Firewall rules to allow or deny network traffic between the connected networks.
Network templates

To ease the configuration of Forefront TMG, TMG provides network templates which allow the creation of typical Firewall scenarios. It is possible to change the network design after the initial installation. All you have to do is to launch the Getting Started Wizard in the TMG Management console. The following screenshot shows the Launch Getting Started Wizard location.

Figure 1: Forefront TMG Getting Started Wizard
Configure Network settings

The Launch Getting Started Wizard allows you to select the required network template. Forefront TMG comes with 4 network templates:

• Edge Firewall
• 3-Leg perimeter
• Back firewall
• Single network Adapter

Edge Firewall

The Edge Firewall template is the classic network template and connects the internal network to the Internet, protected by Forefront TMG. A typical Edge Firewall template requires a minimum of two network Adapters on the Forefront TMG Server.
3-Leg Perimeter
The 3-Leg Perimeter Firewall is a Forefront TMG Server with three or more network adapters. One network adapter connects the internal network, one network adapter connects to the external network, and one network adapter connects to the DMZ (Demilitarized Zone), also called Perimeter Network. The Perimeter network contains services, which should be accessible from the Internet but also protected by Forefront TMG. Typical services in a DMZ are Web Servers, DNS Servers or WLAN networks. A 3-Leg Perimeter Firewall is also often called the “Poor Man’s Firewall”, because it is not a “true” DMZ. A true DMZ is the zone between two recommended different Firewall brands.
Backfirewall
The Back Firewall template can be used by Forefront TMG Administrator, when forefront TMG is placed behind a Front Firewall. The Back firewall protects the internal network from access from the DMZ and the external network and it controls the network traffic which is allowed from DMZ hosts and from the Front Firewall.
Note:
Forefront TMG has no built in Front Firewall network template
Single Network Adapter
The Single Network Adapter template has some limitations, because a Forefront TMG server with only one network interface cannot be used as a real Firewall, so many services are not available. Only the following features are available:

• Forward Web Proxy requests that use HTTP, Secure HTTP (HTTPS), or File Transfer Protocol (FTP) for downloads
• Cache Web content for use by clients on the corporate network
• Web publishing to help protect published Web or FTP servers
• Microsoft Outlook Web Access, ActiveSync, and remote procedure call (RPC) over HTTP publishing (also called Outlook Anywhere in Exchange Server 2007 and above)

Figure 2: Network Template selection
As a next step, select the network adapters which should be used for this network template. For this example I used the Edge Firewall template so you have to choose which network adapter connects to the LAN and which network adapter connects to the external (untrusted) network.

Figure 3: Select network adapter
In Forefront TMG it is now possible to specify additional network routes with the UI. You do not have to use the Route add command from the command line. The following screenshot shows the default networks created by the Microsoft Forefront TMG installation. Only the Internal network has the option to configure the IP address ranges.

Figure 4: Forefront TMG networks
Forefront TMG comes with some built in network rules which defines the network relationship between the networks.

Figure 5: Forefront TMG Network Rules
Also new in Microsoft Forefront TMG is the built in capability to define some basic network adapter settings like IP addresses, Default Gateways and more.

Figure 6: Forefront TMG Network Adapters
The following screenshot shows the configuration options for the TMG network adapters.

Figure 7: Forefront TMG IP address properties
With Forefront TMG it is now possible to create new network routes with the TMG Management console.

Figure 8: Forefront TMG Network routes
The following screenshot shows an example of the new Network Topology route creation dialog box.

Figure 9: Forefront TMG – Create new Network Topology route
New networks in TMG

It is possible to create additional networks in Forefront TMG. Forefront TMG comes with a built in wizard to create new networks.

Figure 10: Forefront TMG – New network name
New networks can be created for different areas. For example it is possible to create a new network for an additional DMZ on Microsoft Forefront TMG

Figure 11: Forefront TMG – Specify Network type
Specify the IP address ranges for the new network.

Figure 12: Forefront TMG – IP address ranges
After the new network has been created, you must associate the new network with an existing network rule or it is possible to create a new network rule relationship from type Route or NAT.
Exporting and importing network definitions

It is possible to export the Forefront TMG networks and network settings to an XML file with the built in import and export capabilities of Forefront TMG.

Figure 13: Forefront TMG – Exporting and importing network definitions
Conclusion

In this article, I tried to give you an overview about how to use networks, network templates and network rules in Forefront TMG to create your network topology with TMG. As you have seen in this article it is very easy to create your network topology with the help of network templates. Forefront TMG has some helpful enhancements related to the network configuration. It is a nice feature that it is now possible for TMG administrators to create network routes with the TMG Management console and that it is possible to configure some basic IP address settings with the TMG console. Most of the other settings remained

Microsoft Forefront TMG – How to use TMG network templates

[ibd_iran]

سلام دوستان من چندتا نکنه از مطالب سایت ها به دست آوردم که می نویسیم شاید به کار بقی دوستان مبتدی مثل من خورد:برای اینکه پست الکی شلوغ نشود ارجاع می دهم که بخونید
نکته یک) سه نوع کلاینت داره که هر کدام یک مزیت و خصوصیت خودش داره : و براساس نیاز شبکه باید یکی از این سه نوع استفاده کرد.من نوع - SecureNAT انتخاب کردم برای سناریو بالا که در اول ذکر کردم :
منبع خوب برای مطالعه :انواع کلاینت های ISA

یک )مشکل اول با SecureNAT
-كارت شبكه متصل به مودم ADSL (خارجي)
2-كارت شبكه متصل به سوئيچ شبكه داخلي(داخلي)

مشخصات كارت شبكه خارجي سرور آيزا:

ip:192.168.0.100
subnetmask:255.255.255.0
defaultgetway:192.168.0.254
DNS:192.168.0.254

مشخصات كارت شبكه داخلي سرور آيزا:

ip:192.168.10.1
subnetmask:255.255.255.0

مشخصات كلاينت:

ip:192.168.10.2
subnetmask:255.255.255.0
defaultgateway:192.168.10.1
dns:192.168.10.1

روی کلاینت اینترنت ندارم ......... دوستان کمک کنید
از روی کلاینت من به کارت شبکه داخلی که روی isa هست ping دارم همچنین به ip کارت شبکه خارجی هم ping دارم 192.168.0.100 پینگ دارم.. پس مشکل از کجا است..
راحلی که برای این پیدا کردم

مشکل از DNS کلاینت ها بود DNS عمل resolve انجام نمی دهد

If you configure the SecureNAT clients to use an Internet DNS
server to resolve
DNS queries, the client will not be able to resolve
internal DNS names.

]

و با این تنظیم مشکل حل شد که DNS کلاینت ها از DNS های معروف استفاده کردم من از گوگل استفاده کردم
تنظیمات کلاینت به این شکل شد و جواب داد و اینترنت داره:
ip:192.168.10.2
subnetmask:255.255.255.0
defaultgateway:192.168.10.1
dns:8.8.8.8 با این تنظیم مشکل حل شد و کلاینت از طریق SecureNat به اینترنت دست رسی داره

[p_zamanian]

دوست خوبم

با SecureNAT clients شما کمترین کنترول رو روی کاربرها دارید

از TMG client استفاده کنید

درمورد DNS هم DNS server شبکه داخلی رو به DNS های معروف Forward کنید

Forefront Threat Management Gateway (TMG) 2010 Firewall Client Features and Benefits

In this article I will provide a high-level explanation of the TMG Firewall Client and share with you the benefits associated with deploying it.

days of Microsoft Proxy Server when it was referred to as the Winsock Proxy Client. It is a software component that provides the ability to proxy any application that uses Winsock, regardless if the application itself is proxy aware. In my discussions with ISA and TMG firewall administrators, I am consistently amazed at how few understand the power, flexibility and control that is provided by this wonderful utility.

Introduction

The Firewall Client has been around for many years, dating back to the days of Microsoft Proxy Server when it was referred to as the Winsock Proxy Client. It is a software component that provides the ability to proxy any application that uses Winsock, regardless if the application itself is proxy aware. In my discussions with ISA and TMG firewall administrators, I am consistently amazed at how few understand the power, flexibility and control that is provided by this wonderful utility.
What is the TMG Firewall Client?

The TMG Firewall Client is an application that can be installed on most Windows desktop and server operating systems (it is limited only to Windows – there is no support for non-Microsoft operating systems such as Mac or Linux). The TMG Firewall Client is backwards compatible with ISA Server 2006 and 2004, and the older ISA Firewall Clients (2006 and 2004) still interoperate with Forefront Threat Management Gateway (TMG) 2010. A complete compatibility matrix is documented here.
The TMG Firewall Client is a Layered Service Provider (LSP). When installed, the TMG Firewall Client hooks in to the Winsock API and listens for requests that are destined for any remote network. When a request is made for a remote resource, the communication is intercepted and forwarded to the TMG firewall to be proxied to the remote destination. If the request is for a resource on the client’s local network, the TMG Firewall Client simply ignores the request and communication proceeds normally. For a comprehensive look at TMG Firewall Client operation, see Introduction to the TMG Firewall Client document on TechNet.
Preparing TMG to Support TMG Firewall Clients

When the TMG Firewall Client is installed, by default it will automatically configure Internet Explorer proxy settings on the client. The TMG Firewall Client will not configure third-party browsers unless they rely on IE’s web proxy settings.
Before installing the TMG Firewall Client, it is recommended that you review and/or change these configuration settings. Open the TMG management console, highlight the Networking node in the navigation tree, then select the Networks tab. Right-click the Internal network and choose properties. Next, select the option to Enable Forefront TMG Client support for this network.

Figure 1
As you can see, the default settings are less than ideal because both automatic configuration and manual configuration are enabled by default. I recommend selecting one or the other, preferably automatic configuration if your environment supports it. Hostnames are defined as single label, but it is a good idea to use fully qualified domain names when possible. In a deployment scenario where Web Proxy Auto Discovery (WPAD) is configured, an ideal configuration should look like this:

Figure 2
If you plan to use WPAD for automatic client configuration, be sure to enable the option to Publish automatic discovery information for this network on the Auto Discovery tab of the Internal network properties dialog box.

Figure 3
If WPAD is not configured in your environment, you can specify that the client use the TMG firewall’s automatic configuration script using either the default URL or a custom one. Alternatively you can define a proxy server directly.
Installing the TMG Firewall Client

Installing the TMG Firewall Client is simple and straightforward. The client can be found in the \Client folder on the TMG installation media, or it can be downloaded here. Double-click the executable then select Next. Accept the license terms and the default installation folder, and then select the method with which to connect to the TMG firewall. Choose Connect to this Forefront TMG computer: if you want to manually connect to a specific TMG firewall, or choose Automatically detect the appropriate Forefront TMG computer to use WPAD. Since my test lab has WPAD enabled, I’ll select the option to automatically detect.

Figure 4
Once installed, the TMG Firewall Client icon will appear in the system tray and indicate its connectivity status.
Enabled and connected.

Figure 5
Enabled, connected, and authenticated.

Figure 6
Disabled.

Figure 7
Unable to connect.

Figure 8
TMG Firewall Client service (fwcagent.exe) is not running.

Figure 9
You can right-click the TMG Firewall Client icon in the system tray to access TMG Firewall Client configuration settings.
Benefits Provided by the TMG Firewall Client

The beauty of the TMG Firewall Client is that it is completely transparent to applications. You can proxy any application that uses Winsock for TCP and UDP communication (e.g. SSH, Telnet, RDP, ICA, STMP, etc.). The application is completely unaware that its communication is being handled by a proxy server.
Unlike SecureNAT clients, all TMG Firewall Client communication is authenticated. With the TMG Firewall Client installed you can now enforce strong user and group-based authentication on all TCP and UDP communication. Try doing that with your so-called ‘hardware’ firewall!
The TMG Firewall Client can also support complex protocols that require secondary connections, without requiring an application filter. In addition, the TMG Firewall Client can resolve some common connectivity issues. There are many web-based applications that have issues with authenticating proxies. Most common are streaming media and Java-based applications. Although they may use HTTP, some applications do not gracefully handle the HTTP 407 (authentication required) response from the proxy and fail to connect. By leveraging the capabilities of the TMG Firewall Client and its always authenticated communication, these problems can easily be resolved.
To accomplish this, simply install the TMG Firewall Client on the workstation. Next, open the TMG management console and include the destination the problem application is connecting to in the Directly access these servers or domains: list located on the Web Browser tab of the Internal network properties.

Figure 10
Note:
The above will only work if your clients are configured to use automatic configuration. If your clients are configured manually you will need to add the destinations to be bypassed by checking the Bypass proxy server for local addresses and adding the destination manually in the web browser configuration settings. If your clients are configured to use a static PAC file, the PAC file will need to be updated to bypass the proxy server for these destinations.
Once configured, the client will no longer attempt to send this communication directly to the web proxy server. Instead it will attempt to communicate directly, allowing the TMG Firewall Client to process the traffic.
Automated Deployment

The fact that the TMG Firewall Client is an application that must be installed on each workstation is a common barrier to wide-scale deployment in many organizations, especially larger ones. However, the TMG Firewall Client is an MSI package which lends itself quite well to being deployed using automated software deployment mechanisms, including Active Directory Group Policy, Systems Center Configuration Manager (SCCM), and more.
Command Line Configuration

When installed, the TMG Firewall Client can be managed via the command line, if necessary. FwcTool.exe is a command line utility found in the \Program Files (x86)\Forefront TMG Client folder for x64 machines (yes, you read that correctly!) and the \Program Files\Forefront TMG Client folder on x86 machines. This utility allows the administrator to enable and disable the client, gather information, set the detection method (manual or automatic), test connectivity, and more.
Another useful command-line utility included with the TMG Firewall Client is FwcCreds.exe. This tool allows you to specify alternate credentials on a per-application basis. By default, the TMG Firewall Client will use the credentials of the current logged-on user when authenticating to the TMG firewall. There are instances where this may not be desired, however. An example would be a service or other non-interactive process that communicates remotely and requires the assistance of the TMG Firewall Client. In this case you can use FwcCreds.exe to specify a username and password for the TMG Firewall Client to use when it processes traffic from that application.
Load Balancing TMG Firewall Clients

When configuring the TMG Firewall Client to communicate with a TMG Firewall, it must use the dedicated IP address of the firewall (or a hostname that resolves to the dedicated IP address). For Enterprise arrays, configuring the TMG Firewall Client to use the virtual IP address (or a hostname the resolves to the virtual IP address) is not supported. Using third-party load balancing solutions is also not supported. The only form of load balancing for TMG Firewall Clients is DNS round robin.
Additional Features

The TMG Firewall Client can be used to notify users when they visit an SSL-protected web site and HTTPS inspection is configured and enabled on the TMG firewall. The TMG firewall and the client workstation must be members of a domain for this feature to work.

Figure 11
The TMG Firewall Client also logs additional information for communication that it handles. This includes username information (regardless if the access rule requires authentication) and the application (executable name) that initiated the request.
Caveats

Ideally the TMG firewall and the clients where the TMG Firewall Client are installed should be members of a domain. Alternatively you can use mirrored accounts on the TMG firewall if your firewall or clients are not members of a domain. Also, clients must have a route to any remote destination they need to communicate with. This is counterintuitive; in theory the TMG Firewall Client should intercept any request for a remote resource and forward that to the proxy, making a route to the remote destination unnecessary. However, beginning with Windows Vista, the DNS client behaves differently, causing some unintended side effects. With Vista and later, the operating system will ignore hostnames that resolve to an IP address that it does not have a route to, effectively behaving as if it is unable to resolve the name at all. In the past it was possible to configure clients a default gateway and leverage the Firewall Client to control all remote communication. With these changes, configuring the TMG Firewall Client machine without a default gateway is no longer feasible.
Conclusion

In this article I provided a high-level description of the TMG Firewall Client and reviewed its installation and configuration. I highlighted some of the benefits it provides, such as providing proxy services for non-proxy aware applications, authenticating all TCP and UDP communication, and logging usernames and application detail. I also outlined some of the command-line troubleshooting tools and discussed additional features such as HTTPS inspection notification. When deployed, the TMG Firewall Client can resolve issues that some applications have when communicating through authenticating proxies. If you have not yet deployed the TMG Firewall Client in your
organization, I would strongly encourage you to leverage this powerful tool today

http://www.isaserver.org/tutorials/F...-Benefits.html

Understanding forwarders
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Understanding forwarders

A forwarder is a Domain Name System (DNS) server on a network used to forward DNS queries for external DNS names to DNS servers outside of that network. You can also forward queries according to specific domain names using conditional forwarders.
A DNS server on a network is designated as a forwarder by having the other DNS servers in the network forward the queries they cannot resolve locally to that DNS server. By using a forwarder, you can manage name resolution for names outside of your network, such as names on the Internet, and improve the efficiency of name resolution for the computers in your network. For more information about forwarders and conditional forwarders, see Using forwarders.
The following figure illustrates how external name queries are directed using forwarders.
For more information about directing external queries, see Directing queries through forwarders.
Without having a specific DNS server designated as a forwarder, all DNS servers can send queries outside of a network using their root hints. As a result, a lot of internal, and possibly critical, DNS information can be exposed on the Internet. In addition to this security and privacy issue, this method of resolution can result in a large volume of external traffic that is costly and inefficient for a network with a slow Internet connection or a company with high Internet service costs.
When you designate a DNS server as a forwarder, you make that forwarder responsible for handling external traffic, thereby limiting DNS server exposure to the Internet. A forwarder will build up a large cache of external DNS information because all of the external DNS queries in the network are resolved through it. In a small amount of time, a forwarder will resolve a good portion of external DNS queries using this cached data and thereby decrease the Internet traffic over the network and the response time for DNS clients.
A DNS server configured to use a forwarder will behave differently than a DNS server that is not configured to use a forwarder. A DNS server configured to use a forwarder behaves as follows:

• When the DNS server receives a query, it attempts to resolve this query using the primary and secondary zones that it hosts and its cache.
• If the query cannot be resolved using this local data, then it will forward the query to the DNS server designated as a forwarder.
• The DNS server will wait briefly for an answer from the forwarder before attempting to contact the DNS servers specified in its root hints.

When a DNS server forwards a query to a forwarder it sends a recursive query to the forwarder. This is different than the iterative query that a DNS server will send to an other DNS server during standard name resolution (name resolution that does not involve a forwarder).

Conditional forwarders

A conditional forwarder is a DNS server on a network that is used to forward DNS queries according to the DNS domain name in the query. For example, a DNS server can be configured to forward all the queries it receives for names ending with widgets.example.com to the IP address of a specific DNS server or to the IP addresses of multiple DNS servers.

Intranet name resolution

A conditional forwarder can be used to improve name resolution for domains within your intranet. Intranet name resolution can be improved by configuring DNS servers with forwarders for specific internal domain names. For example, all DNS servers in the domain widgets.example.com could be configured to forward queries for names that end with test.example.com to the authoritative DNS servers for merged.widgets.example.com, thereby removing the step of querying the root servers of example.com, or removing the step of configuring DNS servers in the widgets.example.com zone with secondary zones for test.example.com.

Internet name resolution

DNS servers can use conditional forwarders to resolve queries between the DNS domain names of companies that share information. For example, two companies, Widgets Toys and TailspinToys, want to improve how the DNS clients of Widgets Toys resolve the names of the DNS clients of Tailspin Toys. The administrators from Tailspin Toys inform the administrators of Widgets Toys about the set of DNS servers in the Tailspin Toys network where Widgets can send queries for the domain dolls.tailspintoys.com. The DNS servers within the Widgets Toys network are configured to forward all queries for names ending with dolls.tailspintoys.com to the designated DNS servers in the network for Tailspin Toys. Consequently, the DNS servers in the Widgets Toys network do not need to query their internal root servers, or the Internet
root servers, to resolve queries for names ending with dolls.tailspintoys.com

Understanding forwarders: Domain Name System(DNS)


---------------------------------------------------------------------------------------------------------------------------
Using forwarders


Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Using forwarders

To use forwarders to manage the DNS traffic between your network and the Internet, configure the firewall used by your network to allow only one DNS server to communicate with the Internet. When you have configured the other DNS servers in your network to forward queries they cannot resolve locally to that DNS server it will act as your forwarder. For more information about forwarders, see Understanding forwarders.

Forwarding sequence

The order of the IP addresses listed as forwarders on a DNS server determines the sequence in which the IP addresses are used. After the DNS server forwards the query to the forwarder with the first IP address, it waits a short period for an answer from that forwarder (according to the DNS server's time out setting) before resuming the forwarding operation with the next IP address. It continues this process until it receives an affirmative answer from a forwarder.
For example, in the following figure the DNS servers with the first and second forwarder IP addresses do not respond to the DNS server. The DNS server with the third forwarder IP address responds and the query is forwarded to that DNS server.
Unlike conventional resolution, where a roundtrip time (RTT) is associated with each server, the IP addresses in the forwarders list are not ordered according to roundtrip time and must be reordered manually to change preference.

Conditional forwarders

Conditional forwarders are DNS servers that only forward queries for specific domain names. Instead of forwarding all queries it cannot resolve locally to a forwarder, a conditional forwarder is configured to forward a query to specific forwarders based on the domain name contained in the query. Forwarding according to domain names improves conventional forwarding by adding a name-based condition to the forwarding process.
The conditional forwarder setting for a DNS server consists of the following:

• The domain names for which the DNS server will forward queries.
  
  
• One or more DNS server IP addresses for each domain name specified.
  
  

When a DNS client or server performs a query operation against a DNS server, the DNS server looks to see if the query can be resolved using its own zone data or the data stored in its cache. If the DNS server is configured to forward for the domain name designated in the query, then the query is forwarded to the IP address of a forwarder associated with the domain name. For example, in the following figure, each of the queries for the domain names is forwarded to a DNS server associated with the domain name.
If the DNS server has no forwarder listed for the name designated in the query, it can attempt to resolve the query using standard recursion. For more information, see Configure a DNS server to use forwarders and How DNS query works.
Conditional forwarders allow you to improve name resolution between internal (private) DNS namespaces that are not part of the DNS namespace of the Internet, such as results from a company merger. By configuring the DNS servers in one internal namespace to forward all queries to the authoritative DNS servers in a second internal namespace, conditional forwarders enable name resolution between the two namespaces without performing recursion on the DNS namespace of the Internet. This enhancement to name resolution also avoids having your DNS servers perform recursion to your internal root for different namespaces within your network.
Important

• A DNS server cannot forward queries for the domain names in the zones it hosts. For example, the authoritative DNS server for the zone microsoft.com cannot forward queries according to the domain name microsoft.com. The DNS server authoritative for microsoft.com can forward queries for DNS names that end with example.microsoft.com, if example.microsoft.com is delegated to another DNS server.
  
  

Conditional forwarder domain name length

When a DNS server configured with a conditional forwarder receives a query for a domain name, it will compare that domain name with its list of domain name conditions and use the longest domain name condition that corresponds to the domain name in the query. For example, in the figure below, the DNS server performs the following conditional forwarding logic to determine how a query for a domain name will be forwarded:

• The DNS server receives a query for networks.example.microsoft.com.
  
  
• It compares that domain name with both microsoft.com and example.microsoft.com.
  
  
• The DNS server determines that example.microsoft.com is the domain name that more closely matches the domain name query.
  
  
• The DNS server forwards the query to the DNS server with the IP address 172.31.255.255, which is associated with example.microsoft.com.
  
  

Forward-only servers

When a DNS server configured to use forwarders cannot resolve a query locally, or using its forwarders, the server attempts to resolve the query using standard recursion. A DNS server can also be configured to not perform recursion after forwarders fail. In this configuration, the server does not attempt any further recursive queries to resolve the name. Instead, if it does not get a successful query response from any of the servers configured as forwarders, then it fails the query. A DNS server configured in this manner is called a forward-only DNS server. If all forwarders for a name in the query do not respond to a forward-only DNS server, that DNS server will not attempt recursion.
A forward-only DNS server is different from a nonrecursive DNS server because it builds up a cache relating to the domain name and will use this cache to attempt to resolve the domain name. A nonrecursive DNS server will not build up a cache relating to the domain, nor will it perform recursion. In both configurations, the DNS servers will attempt to resolve the query using their authoritative data before using their forwarders.
Note

• You can disable recursion for the entire DNS server or on a per domain name basis. If you disable recursion on the entire DNS server, you will not be able to use forwarders on that DNS server.
  
  

http://technet.microsoft.com/en-us/library/cc757172(WS.10).aspx

[p_zamanian]

درودibd_iran

لطفا به این آموزش توجه کنید

TechNet Video: TechNet RampUp: Module 5: Forefront TMG 2010 Design and Deployment Considerations p.2 - Bing Videos

[ibd_iran]

سلام :
با سپاس فراوان از p_zamanian برای مطالب که در سایت قرار دادی

یک مشکل پیش آمد هر کاری می کنم نمی توانم حلش کنم این که به پیشنهاد شما از Firewall Client استفاده کنم روی کلاینت ها نصب کردم ولی هر کاری می کنم Firewall Client به isa سرور متصل نمی شود تمام تنظیمات مثل توضیحات بالا قرار دادم ولی باز هم نشد .

مشخصات شبکه این شکلی است: شبکه domain داره به نام ibd.ir

یک سرور DC1 دارم که Active Directory روی نصب و domain control است
نام سرور isa : هست isa.ibd.ir و آی پی داخلشی 192.168.11.11
روی سرور آیزا dns نصب هست و همچنین Active Directory که یک بک آپ از DC1 می باشد
مشخصات كارت شبكه خارجي سرور آيزا:

ip:192.168.0.100
subnetmask:255.255.255.0
defaultgetway:192.168.0.254
DNS:192.168.0.254

مشخصات كارت شبكه داخلي سرور آيزا:

ip:192.168.10.1
subnetmask:255.255.255.0

مشخصات كلاينت:

ip:192.168.10.2
subnetmask:255.255.255.0
defaultgateway:192.168.10.1
dns:192.168.10.1

[mad_03]

سلام دوستان عزیز
منم مشکل شما رو دارم و خیلی دنبال این موضو هستم یه مقاله پیدا کردم که خیلی به درد من خورد امیدوارم برای شما هم مفید باشه
http://hotfile.com/dl/110797137/4d50...erver.pdf.html

[ibd_iran]

سلام :
با سپاس فراوان از p_zamanian برای مطالب که در سایت قرار دادی

یک مشکل پیش آمد هر کاری می کنم نمی توانم حلش کنم این که به پیشنهاد شما از Firewall Client استفاده کنم روی کلاینت ها نصب کردم ولی هر کاری می کنم Firewall Client به isa سرور متصل نمی شود تمام تنظیمات مثل توضیحات بالا قرار دادم ولی باز هم نشد .

مشخصات شبکه این شکلی است: شبکه domain داره به نام ibd.ir

یک سرور DC1 دارم که Active Directory روی نصب و domain control است
نام سرور isa : هست isa.ibd.ir و آی پی داخلشی 192.168.11.11
روی سرور آیزا dns نصب هست و همچنین Active Directory که یک بک آپ از DC1 می باشد
مشخصات كارت شبكه خارجي سرور آيزا:

ip:192.168.0.100
subnetmask:255.255.255.0
defaultgetway:192.168.0.254
DNS:192.168.0.254

مشخصات كارت شبكه داخلي سرور آيزا:

ip:192.168.10.1
subnetmask:255.255.255.0

مشخصات كلاينت:

ip:192.168.10.2
subnetmask:255.255.255.0
defaultgateway:192.168.10.1
dns:192.168.10.1

توسط این مقاله مشکل حل کردم ولی چیزی حالیم نشد دوستان اگر یک توضیح بدهند ممنون می شوم
آدرس مقاله: Configuring DHCP and DNS for ISA automatic discovery
این The DNS/DHCP server has a Wpad entry pointing to a Wpad server (ISA Server computer چی هست که باید در DNS و DHCP تعریف بشه اگر این یک توضیحی بدهند ممنون می شوم

سلام دوستان عزیز
منم مشکل شما رو دارم و خیلی دنبال این موضو هستم یه مقاله پیدا کردم که خیلی به درد من خورد امیدوارم برای شما هم مفید باشه
Hotfile.com: One click file hosting: ISA Server.pdf

مرسی از دوست عزیز که این مقاله فارسی خوب معرفی کرداید

[p_zamanian]

Configuring Forefront TMG Client for automatic detection
Published: November 15, 2009
Updated: February 1, 2011
Applies To: Forefront Threat Management Gateway (TMG)

For ease of deployment, when you configure Forefront TMG Client support on a Forefront TMG network, you can configure the network properties to enable Web browsers on the client computers to use automatic discovery, either by using WPAD or a static configuration script.
These settings are applied when the Forefront TMG Client software is installed on client computers. If you make any changes to the client configuration settings on the Forefront TMG computer, Forefront TMG automatically updates the settings, as follows:

• Each time the Forefront TMG Client is restarted.
• Each time you click Detect Now or Test Server on the Settings tab in the Forefront TMG Client management console on the client computer.
• Every six hours after the last refresh

-----------------------------------------------------------------------------------------

Forefront TMG
About implementing WPAD
Configuring the WPAD mechanism consists of the following steps:

• Configure a WPAD server
• Configure DNS or DHCP so that clients can present a query to discover the location of the WPAD server.

Configuring a WPAD server
Clients connect to DNS or DHCP to obtain information about the location of a WPAD server on which the Wpad.dat and Wspad.dat configuration files are located. Then clients connect to the server to obtain the automatic Web proxy settings.
You can use Forefront TMG as the WPAD server, or you can host the Wpad.dat or Wspad.dat file at an alternative location, such as a server running IIS. When planning for a WPAD server, consider the following:

• The main advantage of using Forefront TMG as the WPAD server is that the Wpad.dat and Wspad.dat files are automatically updated when Web proxy settings are modified in the Forefront TMG Management console. Placing the WPAD and WSPAD files on a different server requires file content to be updated manually.
• If Forefront TMG is acting as a WPAD server and is unavailable, clients cannot request WPAD information.
• Maintaining the WPAD and WSPAD files on a computer running IIS avoids cache latency issues that can occur when you consistently modify WPAD entries to point to alternative Forefront TMG computers.
• Configuring WPAD and WSPAD files on a computer running IIS can provide some failover capabilities. You can configure multiple Web servers in IIS and place different WPAD and WSPAD files in each Web server. The active Web server will be the one containing WPAD and WSPAD information for the currently active Forefront TMG computer.
• If you are not using the Forefront TMG computer as a WPAD server, you do not need to publish automatic discovery information, because Forefront TMG does not need to listen for automatic discovery requests. This may be an advantage when IIS is co-located on the Forefront TMG computer and port conflicts can occur.
• To update the WPAD server location, you update the DHCP or DNS WPAD entries that point to the server. Information is cached on DHCP or DNS servers, and the WPAD entry returned may not contain the most up-to-date Forefront TMG information.

Configuring the WPAD Server

To use a Forefront TMG computer as a WPAD server for automatic discovery requests, you configure the network on which clients are located to publish automatic discovery information and specify the port number on which the Forefront TMG computer should make automatic discovery information available. By default, Forefront TMG publishes automatic discovery information on port 8080. If you are using a WPAD entry in DNS, you must publish on port 80. WPAD entries in DHCP can use any port, but you should ensure that the port you specify in Forefront TMG Management for use with DHCP matches the port specified in DHCP option 252. For instructions, see Configuring a WPAD server.

Configuring an alternative WPAD server

As an alternative to configuring the Forefront TMG computer as the WPAD server, you can place the Wpad.dat and Wspad.dat files on another computer, such as a server running IIS. In this scenario, the DNS and DHCP entries point to the alternative server. This server acts as a dedicated redirector to provide WPAD and WSPAD information to clients. You can obtain the Wpad.dat and Wspad.dat file by connecting to the Forefront TMG server through a Web browser and by obtaining the files from the following URLs:
http://computer_name ort/wpad.dat
http://computer_name ort/wspad.dat
When placing the WPAD files on the server, for DHCP entries, you can locate the files anywhere as long as option 252 points to the correct location, and not just to the root folder of the published Web server. The name of the Wpad.dat file can be modified, but you must not change the name of the Wspad.dat file. The Web server can be published on any port. For DNS entries, you must locate the files in the root folder of the published Web server. The Web server must be published on port 80. In both cases, the Wspad.dat file must be located in the same folder as the Wpad.dat file.



Implementing DNS or DHCP
Consider the following criteria when deciding whether to use a DHCP WPAD entry, a DNS entry, or both:

• WPAD entries in DNS can only be used by client computers that belong to a domain, and clients must be configured to resolve DNS names.
• When implementing WPAD with a DNS server, entries must be configured for every domain containing clients enabled for automatic discovery.
• A valid DHCP server must be installed.
• When using DNS to publish WPAD, automatic discovery must be configured to use port 80. Alternatively, the outgoing Web requests must be configured to listen on port 80.
• WPAD in DHCP is limited to specific user groups on some client computer operating systems. For more information, see the Microsoft Knowledge Base article 312864, "Automatic Proxy Discovery in Internet Explorer with DHCP requires specific permissions."
• Generally, using DHCP servers with automatic detection works best for local area network (LAN)-based clients, while DNS servers enable automatic detection on computers with both LAN-based and dial-up connections. Although DNS servers can handle network and dial-up connections, DHCP servers provide faster access to LAN users and greater flexibility. If you configure both DHCP and DNS, clients will attempt to query DHCP for automatic discovery information first and then query DNS.

Windows Server 2008 DNS block list
Protocols such as WPAD use the DNS dynamic update feature, which enables DNS client computers to register and dynamically update resource records when clients change a network address or host name. The dynamic update feature makes clients vulnerable to hijacking. For example, a malicious user could register a computer as a WPAD server and direct all WPAD queries to it. No system administrator intervention is required.
The DNS Server role in Windows Server 2008 introduces a global query block list to reduce this vulnerability risk. This block list behaves as follows:

• After installation or upgrade, the DNS Server service enumerates the zones for which it is authoritative. If it finds a host (A or AAAA) resource record for a host named wpad, the corresponding name is removed from the block list before the list is stored in the registry. This behavior does not affect clients using WPAD.
• If you configure or remove WPAD after you deploy the DNS server role on a server running Windows Server 2008, you must update the block list on all DNS servers that host the zones affected by the change. The affected zones are those where you registered the WPAD servers.

.-----------------------------------------------------------------------------------------------------------------------------
Forefront TMG
Configuring a WPAD server
The WPAD server is the server on which the Wpad.dat and Wspad.dat configuration files are located. To use Microsoft Forefront Threat Management Gateway server as a WPAD server, you configure the network on which clients are located to publish automatic discovery information, and you specify the port number on which the Forefront TMG computer should make automatic discovery information available. Before deciding whether to use Forefront TMG as the WPAD server or to configure an alternate WPAD server, see About implementing WPAD.
Configuring a network for WPAD requests
You can configure Forefront TMG as the WPAD server as follows:

1. In the console tree of Forefront TMG Management, click Networking.
2. In the details pane, click the Networks tab, and then select the network on which you want to listen for WPAD requests from clients (usually the default Internal network).
3. On the Tasks tab, click Edit Selected Network.
4. On the Auto Discovery tab, select Publish automatic discovery information.
5. In Use this port for automatic discovery requests, specify the port on which the Forefront TMG WPAD server should listen for WPAD requests from clients.

Note: By default, Forefront TMG publishes automatic discovery information on port 8080. If you are using a WPAD entry in DNS, you must publish on port 80. WPAD entries in DHCP can use any port.


----------------------------------------------------------------------------------------------------------------------------
Forefront TMG
Creating a WPAD entry in DNS
Create a WPAD entry in DNS
Before setting up a WPAD entry in DNS, review in the information in Planning automatic Web proxy detection, and read the About automatic discovery.
Configure a DNS entry on the DNS server of the domain controller of the network from which automatic discovery requests from clients will be received (usually the Internal network) as follows:

1. Configure a host (A) record for the WPAD server. It is recommended to reserve a static DNS host name for WPAD, as described in Microsoft article 934864: How to configure Microsoft DNS and WINS to reserve WPAD registration.
2. Create an alias (CNAME) record to point at the host record.

Configure an alias for the WPAD entry

1. Click Start, point to All Programs, point to Administrative Tools, and then click DNS.
2. In the console tree, right-click the forward lookup zone for your domain, and click New Alias (CNAME).
3. In Alias name, type WPAD.
4. In Fully qualified name for target host, type the FQDN of the WPAD server. If the Forefront TMG computer or array already has a host (A) record defined, you can click Browse to search the DNS namespace for the Forefront TMG server name.

The DNS Server role in Windows Server 2008 introduces a global query block list to reduce vulnerability associated with dynamic DNS updates. This may affect WPAD deployment. For more information, see About implementing WPAD

-----------------------------------------------------------------------------------------------------------------------------

Web Proxy Autodiscovery Protocol

From Wikipedia, the free encyclopedia
(Redirected from Wpad)


This article may require cleanup to meet Wikipedia's quality standards. Please improve this article if you can. The talk page may contain suggestions. (October 2007) The Web Proxy Auto-Discovery Protocol (WPAD) is a method used by clients to locate a URL of a configuration file using DHCP and/or DNS discovery methods. Once detection and download of the configuration file is complete it can be executed to determine the proxy for a specified URL. The WPAD protocol only outlines the mechanism for discovering the location of this file, but the most commonly deployed configuration file format is the Proxy auto-config format originally designed by Netscape in 1996 for Netscape Navigator 2.0.[1] The WPAD protocol was drafted by a consortium of companies including Inktomi Corporation, Microsoft Corporation, RealNetworks, Inc., and Sun Microsystems, Inc.. WPAD is documented in an INTERNET-DRAFT which expired in December 1999.[2] However WPAD is still supported by all major browsers.[3][4] WPAD was first included with Internet Explorer 5.0



About implementing WPAD

Configuring Forefront TMG Client for automatic detection

Configuring a WPAD server

Creating a WPAD entry in DNS