Lately I helped a colleague setting up a TMG array. The TMG nodes were in a workgroup in the DMZ. In the LAN there was a domain-joined EMS server. As there was a firewall between DMZ-LAN we had to open up some ports. The TMG documentation is pretty good, but I couldn’t find any documentation regarding the firewall ports…
So here is a table I built by setting up a DC, EMS, TMG and a m0n0wall virtual firewall appliance in my personal lab. I like m0n0wall as it comes with an easy web interface. It also has logging which you can activate on a per rule base. Here are some screenshots:
Firewall rules:
Logging:
And finally the result of all my hard work:
| From | To | TCP/UDP | Port | Remark |
| EMS | TMG | TCP | 135 | RPC endpoint mapper |
| EMS | TMG | TCP | 10000-65535 | RPC |
| EMS | TMG | TCP | 445 | Remote diagnostic logging |
| EMS | TMG | TCP | 3847 | MS Firewall Control |
| TMG | EMS | TCP | 2171 | MS Firewall Storage |
| TMG | EMS | TCP | 2172 | MS Firewall Secure Storage |
| TMG | EMS | TCP | 3847 | MS Firewall Control |
|
|
|
|
|
|
|
|
|
|
|
|
Some remarks:
- RPC from TMG –> EMS doesn’t seems necessary. I was able to open the MMC on both the EMS and the TMG node.
- RPC from EMS –> TMG starts off at port 10.000. All though windows 2008 (&R2) officially start off at 49152, there are some server products which modify this. Think TMG, Think Exchange. (The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008)
- EMS –> TMG port 445 was necessary for remote diagnostic logging. I’m still looking into as why I can’t view the logging remotely. I can enable/disable it though…
3 Response to Forefront TMG Array In Workgroup Managed By EMS: Firewall Ports
Very concise info, thanks much!
thank you great job
Thank you for the job...
But really the kind of traffic we forbid between DMZ/LAN. It’s too bad.
Add Your Comment