About connecting networks

You create Microsoft Forefront Threat Management Gateway network rules to explicitly allow networks to communicate. Forefront TMG defines a number of predefined network rules following installation:

  • Local Host access—This rule defines a route relationship between the Local Host network (the Forefront TMG server) all other networks connected to the Forefront TMG server.
  • VPN Clients to Internal network—This rule defines a route relationship between the Internal network and the Quarantined VPN Clients and VPN Clients networks.
  • Internet access—This rule defines a NAT relationship between all predefined networks and the External network.

You can modify the properties of predefined network rules, and create new network rules. For instructions, see Configuring network rules.

Each network rule has a relationship defined to specify how traffic flowing between the networks is handled. When you create a network rule, you can configure a route or Network Address Translation (NAT) relationship.

Route relationship

Route relationships are bidirectional. For example, if a network rule defines a route relationship from network A to network B, then an implicit route relationship also exists from network B to network A. Client requests from the source or destination network are forwarded directly to the other network, with the source and destination IP addresses unchanged. Use a route relationship where IP addresses do not need to be hidden between networks. This is a common configuration between two networks with public IP addresses or between two networks with private addresses. In either case, hosts in each network must define the Forefront TMG IP address in their local network as the route to the other network. In many cases, simply defining the Forefront TMG IP address as the default gateway is sufficient. When you create access rules or server publishing rules, a route relationship affects traffic as follows:

  • When using access rules, Forefront TMG forwards the traffic with the source and destination IP addresses intact.
  • When using server publishing rules, Forefront TMG forwards the traffic as it does for access rules, but it uses application filters directly. For example, the Single Mail Transfer Protocol (SMTP) filter is not used for SMTP traffic handled by an access rule, but it is used with traffic handled by a server publishing rule. For more information, see About network relationships and firewall policy.

NAT relationship

NAT relationships between networks are unidirectional. The traffic is handled according to the source or destination of the traffic. Forefront TMG performs NAT as follows:

  • In access rules, Forefront TMG replaces the client IP address on the source network with the Forefront TMG default IP address for the destination network. For example, if you create a NAT relationship in a network rule between the Internal network and the External network, the source IP address of a request from the Internal network will be replaced with the default IP address of the Forefront TMG network adapter connected to the External network. Access rules that handle traffic between networks defined with a NAT relationship can only use the source network specified on the From tab and the destination network specified on the To tab of the rule.
  • In server publishing rules, the client in the destination network makes a connection to the Forefront TMG IP address on which the publishing rule is listening for requests. When Forefront TMG forwards the traffic to the published server, it replaces the Forefront TMG IP address with the IP address of the internal server that it is publishing, but does not modify the source IP address. Note that in a NAT relationship, server publishing rules can only access the network specified as the destination network. In addition, because server publishing across networks with NAT leaves the source IP address intact when forwarding traffic to the published server, the published server must use the Forefront TMG computer as the last hop in the routing structure to the destination network. If this is not possible, configure server publishing rules to use the setting Requests appear to come from the Forefront TMG computer. This causes Forefront TMG to perform full NAT on the traffic handled by the rule. For more information, see About network relationships and firewall policy.