DNS Settings for the Forefront Threat Management Gateway’s (TMG) Interfaces
One of the more common troubleshooting issues with the ISA firewall has to do with the DNS settings on the firewall’s interfaces. The same issues apply to the new TMG’s interfaces.
In order to avoid common DNS and name resolution issues, here’s what you need to know about configuring DNS settings on the TMG:
- Never put an an external DNS server address on any of the TMG firewall’s interfaces if you need to resolve internal host names
- You also always need to have the TMG resolve internal host names, so don’t put any external DNS server addresses on any of the TMG’s interfaces
- Configure a DNS server on only one interface on the TMG. There is no fault tolerance value to adding DNS server settings on multiple interfaces
- Configure the internal interface of the TMG firewall with the DNS server settings. If you have multiple internal DNS servers, you can put them all on the same internal interface
- Move the internal interface to the top of the interface list so that the internal interface is queried first for DNS settings
- Configure the internal DNS server that the TMG will use to resolve host names so that it can resolve both internal and external names
- You can have the internal DNS server perform recursion on its own, or you can configure the internal DNS server to use a forwarder (such as your ISP, or even another DNS server on your network that is configured as a caching only forwarder)
- Remember that the Forefront TMG Firewall will resolve names for Web Proxy and Firewall clients. It will not resolve names for SecureNAT clients, so make sure you configure your SecureNAT clients with a DNS server that can resolve both internal and external hosts names. It can be the same DNS server that the Forefront TMG Firewall is using, if you want
- If you have a Forefront TMG scenario where you don’t want the machine to resolve names (such as a Web hosting environment), you can leave out all DNS settings and use a HOSTS file on the TMG firewall
DNS misconfiguration on the TMG can lead to performance problems and failures to reach requested sites.
Also, remember that if the TMG firewall is in an environment where you have enabled DDNS (such as when the TMG is a member of the domain), when make sure that only the internal interface of the TMG firewall is registered in DNS. Double check your DNS server’s Host (A) records after installing the TMG firewall to make sure that the external interface is not registered.
HTH,
Tom
Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)
Alexander Demmer Says:
January 8th, 2010 at 1:52 pm
Hi Deb,
I have following issue regarding DNS-configuration:
- only my internal DNS-server is configured for use on a 2-NIC-TMG, it is configured on the internal NIC, no DNS is configured on the external NIC
- when I enable VPN site-to-site (PPTP) then the DNS-server provided by the PPTP-adapter is used, which causes slower name resolution than usual
How can I configure an order for DNS-servers when using VPN site-to-site? Do you have an idea?
TIA
A. Demmer