Just after recommendations on how i should upgrade our old ISA 2006 box with the new TMG.Currently our structure is as follows.
We have about 10 branch sites all connected in a private cloud which is going straight out the cloud for internet access.All sites come back to HO for mail,vpn access. Most sites have DC's which point back to HO DNS. My aim is not only to upgrade to TMG but also make some improvements to the layout.
1. Main internet pipe ---> Straight out IP Cloud (Private cloud(vpn) and internet access)
2. Secondary connect ---> ISA ---> Internet (3 NIC ISA mail/VPN/ftp etc.) ---> DMZ
It is a straight forward upgrade however i am considering using a caching dns and maybe even use TMG as a backend firewall for the main internet pipe.....
From: Taylorville, IL
A private cloud cannot go "straight out" to the Internet because it is a private network,...therefore the service provider has a Firewall (either NATing or Proxying) at the Public Edge where the private network and the public network meet. So,...in my opinion,...there is no reason for the ISA or the TMG to even exist.
But in answer to your specific question,...my only recommendation is to never ever let the ISA or TMG be involved in DNS in any way for any reason,...all it will do is get in the way,..slow things down,...and create another "point of failure".
I have no other recommendation for any of the rest of it. In a private network situation you are in, the network provider controls everything and is the "go to" for security because it is their firewall that provides your security. Basically you are "inside" someone else's private network and everything is controlled by them.