Friday, August 19, 2011

TMG 2010 RSA things you have to remember.

 

IF your setup requires you to setup TMG & RSA communication to meet two way government requirement and you have never done this keep reading hopefully the check list here will get you trough.

Assumption , you have configured your TMG server and you have RSA server in your network.

Summary

1. Add static route to RSA servers from TMG servers

image

2. Modify .Reg key on TMG server, specify what IP will be used for ACEClient

image

3. Go to network connections panel and make sure the Internal NIC is selected as the first NIC on the NIC bindings

image

4. make sure under networking from TMG, , Networks the RSA server IP addresses or Subnet is identified as internal subnet

image

5. You need to obtain SDconfig file from RSA Administrator (Generate Sdconfig from RSA server and save the file on TMG server on two places)

image

6. Locations for SDConfig on the TMG servers

  • C:\Windows\System32
  • E:\Program Files\Microsoft Forefront Threat Management Gateway\sdconfig

image

image

7. Download the tool from here ****Install this tool into same directory as the TMG binaries***

image

8. Your TMG and publishing rule for CAS2010 wont work unless you get the test working

image

1. On the TMG servers you have to make sure you have persistent static route added so that your TMG does know how to talk to RSA servers ( network routing)

Open CMD with Administrator privileges on TMG server and fallow the one line command ( Swap the IP address and proper DG , suits to your scenario)

RSA Server IP= 172.26.4.202

TMG Internal NIC = 172.26.7.105 / 27    ( /27 = 255.255.255.224)

TMG External NIC = 172.26.7.12 / 27

My default gateway for TMG server is =10.0.0.1


route add 172.26.4.202 mask 255.255.255.255 172.16.7.97 -p

Let me explain little bit what these 255.255.255.225 mean here, it means any traffic comes to destination IP=172.26.4.202 will be routed to Internal NIC Default gateway =172.16.9.97  on the TMG Server.

IF you want to have route to entire network, you would use Class less Subnet mask in this case it would be like this

This open entire network, not one host !!!!!!!!!!!!

route add 172.26.4.202 mask 255.255.255.0 172.16.7.97 -p

Delete Route ( if you make mistake and want to delete persistent route

route delete 172.26.4.202

IF you like to see static route table

route print

image

*****If there is no static route defined the TMG server will route the traffic to the external NIC=172.26.7.12 which is different subnet and Internal and external NIC, thus interfaces separated each other not only TMG firewall and most likely another ( CISCO etc) type of firewall. thus they wont allow to talk.****

Now on the TMG server you have to hack the register and tell TMG what the IP address will be used to talk to RSA server on each TMG server.

image

image

image

  • HKEY_LOCAL_MACHINE
  • SOFTWARE
  • SDTI
  • AceClient

PrimaryInterfaceIP"="172.26.7.105"

Respectfully,
Oz Casey, Dedeal ( MVP north America)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/ (Blog)

No comments: