Mark Stanfill has started a great series, via his Twitter account, covering EBS rules for TMG. So good that I thought it a great idea to include them here. I’ll add to this post as he adds additional rules. Following are the first sets, plus a bonus precursor:
#EBS08 New series: Mark’s rules for TMG Firewall client (MRFTFC)
#EBS08 Never use ‘route add’ on TMG. Use the TMG getting started wizard instead. Look for startup scripts that do route adds,exclude admin
#EBS08 MRFTFC #1 – You probably don’t need th FWC. 99% of apps can get by with SNAT and web proxy
#EBS08 MRFTFC #2 – Install from Management Server (not Security): C:\Program Files\Windows Essential Business Server\bin\ISA\client
#EBS08 MRFTFC #3 You only need the FWC if you have an APP that needs it or if you want to track access by user rather than by IP.
#EBS08 MRFTFC #4 Down-level FWC from ISA 2004/6 still works, but you should update it if you use it.
New #EBS08 TMG rule 1 – never, ever use “route add” – you will corrupt the IP stack
New #EBS08 TMG rule 2 – add routes via the getting started wizard only – TMG Console -> Forefront TMG -> Tasks
New #EBS08 TMG rule 3 – Only use TMG Console to configure VPN, never RRAS Mgmt console
New #EBS08 TMG rule 4 – Never, ever,ever, ever disable IPv6 on Security Server – you will never fix anything, but you will break RRAS
New #EBS08 TMG rule 5 – Networks under TMG Console\Networking\Networks must have an interface on TMG server itself or we’ll drop traffic
New #EBS08 TMG rule 6 – deploy firewall client via gpo from MGMT server: c:\progra~1\window~3\bin\isa\client — Exclude Servers from GPO