PfSense and Microsoft Threat Management Gateway (MS TMG)

  • Hello all.

    I am currently using pfSense for FW, Routing and NAT and use VLANs to segregate internal traffic.

    Yep, router in a stick with a trunked link to a switch.

    I want to introduce MS TWG into the mix so I can have multiple web servers (Layer 7, L7) and also add a layer of security.

    It seems that the best way to set this up so far is like this.

    Internet–pfSense--TWG--Internal Network (,,,

    It is my understanding that pfSense would face the Internet and pass over any incoming requests to TWG who would then forward it to the appropriate server.

    Right now, the link between pfSense and the switch is trunked to allow the VLAN traffic.

    Once I put TWG in between, do I

    • Transfer the subnet and VLAN config from pfSense to the TWG box?
    • If I do transfer, do I then of trunk the link from TWG to the switch?
    • Use pfSense for NAT?

    Your help is much appreciated!

  • The best way to do this would be to put one of your firewalls in "transparent mode" so it does't do any routing or NAT and just passes traffic from one interface to the other.

    I don't think the MS TMG can do this so your only option is to put pfsense into this mode.

    However I have used previous version of TMG (ISA 2006) in a router on a stick configuration and would encourage you to avoid it if possible!

  • Banned

    No transparence here and PFSense runs fine when NAT'ing to TMG.

    I use the TMG to do L7 on the servers, and to add an ekstra layer of security.

    Works very good and superb performance on the reverse proxy of TMG.

  • Thanks all. I appreciate the help.

    I deployed MS TMG using the single NIC setup for L7 capabilities including redirection.

Log in to reply