I am currently implementing a TMG server to act as a back firewall for added sceurity, url filtering, publish Exchange/Lync, etc...and put this in a dmz
My cisco external interface is pointing to a public ip to our isp. i have another interface which is connected to my external interface of TMG. I then have my internal TMG interface connected to my internal lan.
I am confused as to wether i should use public or private ip addresses for the external TMG server interface and cisco interface. I have been given a block of public ip's from my isp, for ex 66.211.213.X. Can i just use a switch to connect the cisco and tmg server? then add web servers/exchange CAS to this dmz switch?
Also, for the interface on the cisco connected to TMG, i am not sure what the security level should be (ANy cisco guys can help?)
I ended up and used all private IP's for the internal Cisco interfaces and the TMG server interfaces. For the internal interface security level 100 was used since we have the DMZ coming from a non-routable VLAN on our L3 switch right into the ASA. Using the security level 100 made it easier for the outbound traffic as it uses the default ACL for passing the internal traffic to less secure networks. For connectivity our ASA actually just plugs directly into our L3 switch and we just use VLAN's and trunking to direct the traffic from the ASA to the TMG and back to our switch. For out servers in the DMZ static nat was used for publishing. This could all really change if you choose to have the DMZ come off the TMG instead of the ASA.
in the back firewall setup, does the nat'ing from the asa always go to the external interface of tmg then tmg will publish whatever to the dmz servers? or do you just nat straight to the dmz servers from the asa (which seems like it would bypass tmg).
also, i decided i want to go with public ip's for the dmz.
Since our DMZ comes off the ASA, NAT mapping was direct to the servers in the DMZ so the TMG didnt even come into play. Though some configuration was done on the TMG to allow comms from the DMZ to the internal network for AD, RADIUS, etc..