Installing Security Server behind existing firewall in Windows Essential Business Server

While Windows Essential Business Server 2008 (Windows EBS) Security Server can be installed as the single perimeter security solution it is common to have it  coexist with existing security solutions like hardware firewall on the perimeter.  In this configuration, Forefront TMG is the “back end firewall” to the existing “front end” firewall, providing a defense in depth setup.

In this case, there are few choices available – this blog post calls out the decision points and provides an outline of the activity for each decision:

1.       Configuring the network to support two security devices for defense in depth.

The introduction of a backend firewall requires the front end firewall to be on a separate subnet than the rest of the local network.  There are two ways to easily achieve this. The selection will be driven by your knowledge of the existing firewall and the number of devices in your network.

a.       (default) Take over internal IP address of front end firewall and create a new subnet between the front end firewall and EBS Security Server. Windows EBS Setup automatically defaults the internal IP of Security Server to be the internal IP address of existing (front end) firewall.  The only remaining activity is to reconfigure your front end firewall for the new subnet. Refer to the documentation of your front end firewall to accomplish this task.


b.      Create a new subnet for existing clients to use with EBS Security Server, leaving the front end firewall networking configuration untouched (you still need to update any rules that refer to old server IPs for any servers you publish). This requires reconfiguration of all the clients and servers in your network to use EBS Security server as the default gateway. To accomplish this task, you need to edit the internal IP address of Security Server during Setup to be the new gateway IP address. You will also need to change the default gateway on all the machines that have a static IP address in your network and update the gateway property on your existing DHCP server. The latter is automatically done if you decide to install the DHCP role on EBS.


2.       Choice of security level enforced by EBS Security Server

Based on the capabilities of your existing front end firewall, you can reduce the security level enforced by EBS Security Server, using the tool introduced by Feature Pack 1 for Windows Essential Business Server 2008. The various levels and security features for each level are documented at the Change the Security Level  topic in the Windows Essential Business Server Technical Library. This feature pack id downloaded when you check for updates during installation of Windows EBS or you can download it from Microsoft Download Center.


3.       Keeping the two firewalls in sync with each other

The default configuration for Windows EBS configures the EBS Security Server to :

-          publish Remote Web Workplace & Exchange services,

-          allow internet access for all users, and

-          configures firewall rules for essential network services like DNS to function.

If you chose the security level for EBS Security Server to be medium-low or higher, you need to identify other applications your users will access from outside and publish those servers/services using the Server Publishing or Web Publishing wizard; you may also need to add access rules for any line of business application that needs outbound access on protocols other than HTTP or HTTPS protocol, using the “Add new access rule” wizard. On the front end firewall, you also need to update the firewall rules to forward the traffic to EBS Security Server. You may need to republish services like Remote Web Workplace and Exchange services like Outlook Web Access from EBS Security Server in your existing firewall.

If you chose security level for the EBS Security Server to be “low”, you do not need any changes in EBS Security Server. You need to publish services like Remote Web Workplace and Exchange services like Outlook Web Access directly in your front end firewall. For all the default configuration details, refer to the Security and Protection section in the Windows Essential Business Server Technical Library.


4.       Choices with site to site VPN configurations (if applicable)

Site to Site VPNs are commonly used to provide connectivity to remote branches. The branch network is connected using a VPN tunnel into the VPN device (typically the front end firewall) – with EBS Security Server installed behind the existing front end firewall, you have 2 choices:

a.       A simple option is to continue to terminate  VPN at the front end firewall and configure EBS Security Server to route traffic between the branch networks and your internal network. The steps involved are:

                                                               i.      Create an “Address Range” object for each branch subnet.

                                                             ii.      Add a Network rule of type “route” and place it above default NAT rule.

                                                            iii.      Add an array access rule allowing traffic between branch network address range and internal network .

With this configuration, you can now access internal network resources from remote branch subnets and vice versa.

b.      An advanced option is to terminate your VPNs in EBS Security server – this requires reconfiguring the existing firewall to pass through traffic to EBS Security Server and establish VPN tunnel in the EBS Security Server with the branch device. You can use the “Create Site to Site VPN connection wizard” in Forefront TMG console to accomplish this task. Refer to VPN Consortium for compatibility of VPN devices.

Hope this helps organizations, partners, and administrators who want to integrate their Security Server in Windows EBS 2008 into a network with an existing firewall. Let us know if you would like more detailed steps for any of these sections!

Downloads :

Feature Pack 1 for Windows Essential Business Server 2008.

References :

Security and Protection section in the Windows Essential Business Server Technical Library.

Related posts :

New feature : Adjust the level of protection provided by Security Server in Windows Essential Business Server 2008

Site to site VPN and Windows Essential Business Server

As always, your comments and questions are welcome!


Kannan C Iyer

Program Manager

Windows Essential Business Server

Microsoft Corporation

Comments (5)

  1. Anonymous says:

    I am looking for some assistance in configuring the Security server to work with my existing Cisco Devices.  I attempted to follow the instructions above, but had negative results.  I currently have 5 branch offices connected to our head office using static VPN tunnels.  I changed the head office device to route traffic from my tunnels to the Security Server.  I was able to contact the branch offices, but they were not able to contact me.  I am not familar enough with access rules in the ForeFront TMG.  If there is anyone who can help me, I would greatly appreciate it.

  2. Gary says:

    Then can EBS security server take over a hardware firewall and we can less the expend

  3. Jon Erdmann says:

    We recently downloaded the Feature Pack 1 to try out the different security levels due to the ForeFront TMG blocking random things (FTP, network printing, etc) We turned the security down to low and at first everything was great, but now the network is unbelievable slow.  The entire network is at a crawl speed.  We can’t do anything.

  4. Eli RIpoll says:

    Hi i was wondering what are the steps if you choose not to use the security server. Our company has already invested in a very expensive security and firewall solutions. adding the security firewall would seriously cause headaches and down time as we have hundreds of rule, nats, and custom configurations. Im sure with microsoft antitrust situations they cant be forcing thee clients to use there security sofware. I was wonering if there were any steps to skip that step in the installation?

  5. Freaky says:

    Eli: I’m no fan of microsoft politics, far from it. But if you buy a solution, not just some windows licenses with exchange etc, how do you figure you can throw it on anti-trust?

    I didn’t like it either, but I just downloaded the feature pack 1, set the security level to low (disables NAT, I’d actually the security level to be higher but NOT having double NAT counts higher and the IMHO retarded wizard only disables NAT on the low level (which makes you wonder why the i have an external firewall checkbox is there in the first place then).

    On low, all I had to do was the normal inbound NAT (ie allow SMTP etc) to the external IP of the TMG and define some other rules. Our external firewall just routes to behind the TMG and that works just fine. Only need to create the rules on the external firewall.

Skip to main content