A high-level overview of network adapter configuration best practice is provided below:
  • The network adapter name used within the operating system should be changed to closely match the associated TMG network name. This clarifies assignment and improves supportability.
  • Only one network adapter should be configured with a default gateway.
  • Only one network adapter should be defined with DNS servers.
  • Unused or unnecessary bindings should be removed from all adapters, where possible, to improve security.
  • The default bind order should be amended to define a specific customised order.
Based upon these best practices, the configuration shown below is a tried and tested approach that can be used as part of a Forefront UAG deployment.
Configuration Step 1 – Rename Network Adapters:
Rename all network adapters to descriptive names that ideally match the connection type and UAG wizard/console names. For example:
UAG adapter connected to the trusted network: Internal NetworkUAG adapter connected to the untrusted network: External Network
Tip: Matching the names is not essential; it just makes mapping networks between UAG, TMG and Windows much easier when troubleshooting…

Configuration Step 2 – Configure Network Adapters:
The Internal Network adapter will normally be connected to your trusted environment. This could be your actual internal network (LAN) or could be a private DMZ (perimeter network) if using an intranet/back firewall.
Internal Network Adapter
  • Default Gateway should not be defined
  • DNS Servers should be defined
  • Client for Microsoft Networks binding – Enabled
  • File and Print Sharing for Microsoft Networks binding – Enabled
  • Register this connection’s address in DNS – Enabled
  • Enable LMHOSTS Lookup – Disabled
  • NetBIOS over TCP/IP – Default
The External Network adapter will normally be connected to your untrusted environment. This could be your actual Internet connection if using an edge deployment, or could be a public DMZ (perimeter network) if using an existing edge/front firewall.
External Network Adapter
  • Default Gateway should be defined
  • DNS Servers should not be defined
  • Client for Microsoft Networks binding – Disabled
  • File and Print Sharing for Microsoft Networks binding – Disabled
  • Register this connection’s address in DNS – Disabled
  • Enable LMHOSTS Lookup – Disabled
  • NetBIOS over TCP/IP – Disabled
Please Note: The 'File and Print Sharing for Microsoft Networks' binding on the TMG internal adapter is left at the default settings of Enabled on the TMG Internal Network adapter. This allows for the use of the Internal Network adapter for intra-array services when using a Forefront UAG array.
Configuration Step 3 – Amend Bind Order:
Edit the network adapter bind order to place the Internal Network adapter at the top (highest) position and the External Network at the bottom (lowest) position. For example:
Internal Network (Highest)…others…
External Network (Lowest)
Configuration Step 4 – Run the UAG Network Interfaces Wizard:
You should now run the UAG Network Interfaces wizard, and assign the network adapters to their respective Internal and External connection types/roles.
Important! As you have configured the default gateway on the External Network adapter, it is necessary to add static routes to define internal network subnets that are reached via the Internal Network adapter but located behind routers (including VLANs on layer 3 switches) on the internal network. The use of multiple default gateways is not supported and static routes are the recommended solution. Once you have defined the appropriate static routes, you will then need to run the UAG Network Interfaces wizard to add the new subnets (called address ranges) to the internal network definition; these will consequently be inherited by TMG and allow correct traffic flow…
This article was originally written by: Jason Jones