Firewall Options

  • Article

In Windows EBS, the Security Server is designed to function as a network firewall by using Microsoft® Forefront™ Threat Management Gateway. Through regular updates, Forefront TMG (formerly called Internet Security and Acceleration (ISA) Server) helps protect IT environments from Internet-based threats while providing users with policy-based remote access to applications and data.

If your network already has a dedicated firewall device or a router that provides firewall capabilities, you can replace it by using the Security Server as the network firewall, or you can deploy the Security Server behind your existing device. In many cases the simpler deployment option is to replace your existing firewall device with the Security Server. Windows EBS is designed to provide network firewall capabilities in the network topologies that are likely to be implemented in a medium-size organization. These topologies include many single-subnet networks, routed networks with multiple subnets, and networks with site-to-site virtual private networks (VPNs). For more information about the network topologies that are supported by Windows EBS, see the Product Overview on the Microsoft Web site (https://go.microsoft.com/fwlink?LinkId=108899).

Note

If your existing firewall device has failover capabilities, make sure that you plan to decommission the secondary device at the same time that you replace the firewall device.

As an advanced option, you can retain your existing firewall device and configure the Security Server as a back-end firewall for the existing device. This is an appropriate deployment option in cases where it is necessary to retain the existing firewall device, including the following:

  • You have requirements for a perimeter network (also known as DMZ, demilitarized zone, and screened subnet).
  • You require a network gateway that is provided as a managed service by an outside organization or service provider.
  • Your existing firewall devices at branch locations are not compatible with Forefront TMG.

Important

If your network includes a managed firewall device or a managed switch, contact your service provider to help plan the deployment of Windows EBS. When you schedule the installation of Windows EBS, ensure that your service provider is available to make any configuration changes that you need.

Depending on your choice for deploying the Security Server, the Planning Wizard helps you collect the network address settings, firewall rules, and VPN access rules (if applicable) that you will need later to integrate the Security Server into your network and restore network connections. Guidance for performing the appropriate configuration steps is provided in the Installation Wizard and the Configuration and Migration Tasks checklist.

Warning

If you retain your existing firewall, you will usually have more configuration tasks when you deploy Windows EBS. This choice will require you to maintain a more complex network topology that includes coordinated firewall settings in your existing firewall device and the Security Server. The added complexity of maintaining two firewalls can increase the potential for disrupted network services (for example, caused by mismatched firewall settings).