3 comments

Forefront TMG Array In Workgroup Managed By EMS: Firewall Ports

Published on Monday, June 13, 2011 in

Lately I helped a colleague setting up a TMG array. The TMG nodes were in a workgroup in the DMZ. In the LAN there was a domain-joined EMS server. As there was a firewall between DMZ-LAN we had to open up some ports. The TMG documentation is pretty good, but I couldn’t find any documentation regarding the firewall ports…

So here is a table I built by setting up a DC, EMS, TMG and a m0n0wall virtual firewall appliance in my personal lab. I like m0n0wall as it comes with an easy web interface. It also has logging which you can activate on a per rule base. Here are some screenshots:

Firewall rules:

image

Logging:

image

 

And finally the result of all my hard work:

 

From

To

TCP/UDP

Port

Remark

EMS

TMG

TCP

135

RPC endpoint mapper

EMS

TMG

TCP

10000-65535

RPC

EMS

TMG

TCP

445

Remote diagnostic logging

EMS

TMG

TCP

3847

MS Firewall Control

TMG

EMS

TCP

2171

MS Firewall Storage

TMG

EMS

TCP

2172

MS Firewall Secure Storage

TMG

EMS

TCP

3847

MS Firewall Control

TMG

EMS

TCP

135

RPC endpoint mapper

TMG

EMS

TCP

49152-65535

RPC

Some remarks:

  • RPC from TMG –> EMS doesn’t seems necessary. I was able to open the MMC on both the EMS and the TMG node.
  • RPC from EMS –> TMG starts off at port 10.000. All though windows 2008 (&R2) officially start off at 49152, there are some server products which modify this. Think TMG, Think Exchange. (The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008)
  • EMS –> TMG port 445 was necessary for remote diagnostic logging. I’m still looking into as why I can’t view the logging remotely. I can enable/disable it though…

Related Posts

3 Response to Forefront TMG Array In Workgroup Managed By EMS: Firewall Ports

02 August, 2011 21:07

Very concise info, thanks much!

Anonymous
08 May, 2012 18:21

thank you great job

Anonymous
14 May, 2013 09:49

Thank you for the job...
But really the kind of traffic we forbid between DMZ/LAN. It’s too bad.

Add Your Comment