May 162010

Quite often I get questions about how you should configure your network cards for Microsoft ISA or Microsoft TMG server. Since there is a common misconception about this, I thought I needed to write something down about it. For the moment I will assume that you have configured your ISA/TMG server in a domain environment. Later on I might describe other scenarios where your network card configuration might differ.

First, let’s talk about the external network adapter. Of course, you would configure an IP address and a subnet mask right? But after that, a lot of questions start rising. Should I configure a Default gateway on this adapter? Should I configure DNS servers on this adapter?
First the default gateway. The default gateway is a device where traffic is forwarded to when the machine can’t find the route to the destination IP address in its own routing table. Since adding the whole Internet into a static routing table isn’t a real option, you simple use the machine’s default gateway to forward your traffic to. This is usually your ISP router. So to get back to the question if you should configure a default gateway on the external NIC, the answer is Yes.

So what about the DNS configuration on your external network interface card? Since I assume your ISA/TMG is joined to a domain, this is pretty important question. As you might know, DNS is a very important item within an Active Directory environment. Without a good working DNS environment you might run into loads of problems. For example: authentication issues. So what if you configure ISP DNS servers on your external interface even if you configured DNS servers on your internal interface? There is a big chance that your ISA/TMG server might forward authentication requests to your ISP and of course they don’t know anything about your domain infrastructure. So that would be useless. Actually configuring DNS on the external interface is not necessary.

So to summarize, configure the following on the external network interface card:

  • IP address
  • Subnet mask 
  • Default Gateway

(The image below is from a Windows 7 system but you get the idea)

 External NIC Example

Ok and now we turn our attention to the internal network interface card.
Let’s skip the IP address and subnet mask topics and move on to the default gateway. First of all you can only have one default gateway on your ISA/TMG server. Actually, this is true for many devices. But wait, I just said you should configure the default gateway on your external NIC right? But what if you have multiple different subnets in your internal network? What if you have subnets like and and subnets? Well those subnets should be added on the ISA/TMG servers using static routes to your internal subnets. You can do this with the "route add" command. So no, we don’t add a default gateway on the internal network interface card.

(Example of a persistent route add command)

Persistent static route

But what about DNS? Remember I talked about authentication and stuff? You guessed it, you should add the internal DNS servers to your internal NIC. ISA/TMG is capable of authenticating AD users. Maybe Bob is allowed to use FTP, but Ken isn’t. These users needs to be authenticated and ISA/TMG will query the DNS servers to find the AD servers. So yes, DNS is needed.

Ok, to summarize you should configure the follow settings on the internal NIC:

  • IP address
  • Subnet mask
  • Internal DNS servers

(The image below is from a Windows 7 system but you get the idea)

Internal NIC Example

Well, we’re almost done. The last thing I would like to recommend to you is that you keep an eye on your network binding order. Make sure you keep your internal network on the top and your external network at the end. Anything in between should be your DMZ interfaces if you have them.

Oh! I almost forget to mention DMZ interfaces. The only thing you need to configure for a DMZ interface is an IP address and a subnet mask. Note, if you have multiple subnets behind the DMZ interface make sure you add static routes for it just like you may have done for the internal interface.

Well, this was a pretty long post but I hope that I made it clear how you should configure your network interface cards on your ISA/TMG servers!