Adding a Second Network Adapter for Server Publishing in ISA/TMG

In the last few weeks we have seen a number of cases where TMG was being used in a Single Network Adapter Configuration. This is a very common scenario for forward proxy and reverse publishing of web protocols (HTTP, HTTPS). It does not work, however, for server publishing of non-web protocols such as POP, SMTP, etc. For server publishing a NAT relationship must exist and this requires a separation of internal and external networks. When TMG is in a single NIC scenario it is only aware of the Local Host Network and the Internal Network, there is no concept of the External Network.

The issue we sometimes see is when the TMG administrator finds out that they also need to do server publishing of non-web protocols. Through research of their own or by calling support they find out that you cannot do this with a single NIC in ISA or TMG. The administrator mistakenly thinks if they simply add a second NIC to the server it will not we able to accomplish non-web server publishing. It will work as long as you keep in mind that the IP address assigned to the “Internal” network adapter and the IP address assigned to the newly added “External” network adapter must be on completely different subnets. If they are on the same subnet there is no differentiation between Internal and External.

For more information on Publishing Concepts please see https://technet.microsoft.com/en-us/library/bb794758.aspx

You can also view this article for more information on the features and limitation of ISA/TMG in a single NIC scenario https://technet.microsoft.com/en-us/library/cc302586.aspx

The articles were written for older versions of ISA but the concepts still apply to TMG 2010.