Before creating networks

Following installation, you can create new networks and modify predefined networks. Before you start, ensure that you understand the following principles:

  • The Microsoft Forefront Threat Management Gateway server must have at least one network adapter configured and enabled. A Forefront TMG computer that has only a single network adapter is subject to some functional restrictions. For more information, see About single network adapter limitations.
  • Each network you create must have a dedicated network adapter associated with it. For example, to create a topology that includes the internal corporate network, the Internet, and a perimeter network, three network adapters must be installed and enabled on the Forefront TMG computer. There are some exceptions. In a back-to-back firewall configuration, where the Internet is behind a perimeter network, there is no adapter associated with the external network. In addition, a VPN site-to-site network object does not have an adapter associated with it.
  • All IP addresses that can be reached directly from a network adapter must be defined as part of the Forefront TMG network that is associated with the adapter. All remote subnets must be added correctly to the network definition, and the IP address range of the network must match the routing table. Routes should be defined in the routing table for each remote subnet.
  • A network adapter can have zero or more addresses and must only be associated with one Forefront TMG network. There must be no overlap of address ranges on a network.
  • Do not use dynamic addresses on Forefront TMG network adapters, except for the adapter associated with the External network.
  • A default gateway should only be configured on one of the Forefront TMG network adapters. Only one default gateway should be configured on that adapter. This is usually on the External adapter that provides Forefront TMG with a gateway to the Internet.
  • Any IP address that is not contained in Forefront TMG protected networks is considered part of the External network.

Every time a network adapter receives a packet, Forefront TMG checks whether the packet's source IP address is a valid address for the specific network adapter that received it. If the address is not considered valid, Forefront TMG alerts that an IP spoofing attack has occurred. An IP address is considered valid for a specific network adapter if both of the following conditions are true:

  • The IP address resides in the network of the adapter through which it was received.
  • The routing table indicates that traffic destined to that address may be routed through the adapter belonging to that network.

A packet is considered spoofed (and therefore dropped) if one of the following is true:

  • The packet contains a source IP address that (according to the routing table) is not reachable through a network adapter associated with the network.
  • The packet contains a source IP address that does not belong to the address range of a network associated with the adapter.

When Forefront TMG detects a spoofed packet, Forefront TMG triggers an alert indicating the reason that the packet is considered spoofed.