Topic Last Modified: 2010-12-13

You must assign one or more IP addresses to the external network adapter and at least one IP address to the internal network adapter.

If this is a new installation, install Microsoft Forefront Threat Management Gateway 2010 according to the setup instructions included with the product.

In the following procedures, the server running Forefront Threat Management Gateway (TMG) 2010 has two network adapters:

In a manner similar to the Edge Servers, you need to set the default gateway on the external-facing adapter to the internal address of the external firewall, and you need to create persistent static routes in the internal-facing interface for all subnets containing servers referenced by the web publishing rules.

The reverse proxy must be able to resolve the internal Director and next hop pool FQDNs used in the web publishing rules to IP addresses. As with the Edge Servers, for security reasons, we recommend that you do not have Edge Servers access a DNS server located in the internal network. This means you either need DNS servers in the perimeter, or you need HOST file entries on the reverse proxy that resolves each of these FQDNs to the internal IP address of the servers.

To configure the network adapter cards on the reverse proxy computer

  1. On the Windows Server 2008 or Windows Server 2008 R2 server running TMG 2010, open Change Adapter Settings by clicking Start, pointing to Control Panel, clicking Network and Sharing Center, and then clicking Change Adapter Settings.

  2. Right-click the external network connection that you want to use for the external interface, and then click Properties.

  3. On the Properties page, click the Networking tab, click Internet Protocol Version 4 (TCP/IPv4) in the This connection uses the following items list, and then click Properties.

  4. On the Internet Protocol (TCP/IP) Properties page, configure the IP addresses as appropriate for the network subnet to which the network adapter is attached.

    If the reverse proxy is already being used by other applications that use HTTPS/443, such as for publishing Outlook Web Access, you either need to add another IP address so that you can publish the Lync Server 2010 Web Services on HTTPS/443 without interfering with the existing rules and web listeners, or you need to replace the existing certificate with one that adds the new external FQDN names to the subject alternative name.
  5. Click OK, and then click OK.

  6. In Network Connections, right-click the internal network connection that you want to use for the internal interface, and then click Properties.

  7. Repeat steps 3 through 5 to configure the internal network connection.