In a centrally managed Forefront TMG deployment, an enterprise administrator can create networks on the enterprise level. An enterprise network is represented by an FPCEnterpriseNetwork object and can include any IP addresses that are not being used to define another enterprise network.
Enterprise networks are used for configuring access rules in an enterprise policy that can be applied to any array in the enterprise and for configuring enterprise network rules that apply to all arrays in the enterprise. Only enterprise networks can be used to create enterprise-level rules. Enterprise networks can also be used for defining array-level access and publishing rules and for defining array-level network rules. However, you cannot use array-level networks when creating enterprise-level rules.
Any number of user-defined enterprise networks can also be included in a network defined in an array by including references to them in the EnterpriseNetworks property of the FPCNetwork object representing the array-level network. The set of IP address ranges defined by each enterprise network is then included in the array-level network, and the additional array-level configuration settings specified in the properties of the FPCNetwork object will apply to this set of IP address ranges. IP address ranges defined in an enterprise network that is included in an array-level network may overlap IP address ranges defined in the array-level network.
An enterprise network whose set of IP address ranges corresponds exactly to the IP addresses included in a protected array-level network, such as the Internal network, defined in one array can be used to reference that network in all the other arrays of the enterprise.
When you configure enterprise networks, you specify only the IP address ranges and do not specify any of the other properties that you would define for array-level networks. In particular, you cannot configure Network Load Balancing or Cache Array Routing Protocol (CARP) for an enterprise network.
The IP addresses that are included in an enterprise network are excluded from the default External network in each array in the enterprise even if the enterprise network is not included in any network defined in the array.
The following predefined enterprise networks are created upon installation:
- Local Host
- Quarantined VPN Clients
- VPN Clients
These predefined enterprise networks implicitly define the same IP address sets as their array-level counterparts. They can be used for defining rules in an enterprise policy and for defining enterprise network rules. When an enterprise policy is assigned to an array, each predefined enterprise network in a rule will be interpreted as the array-level network of the same name. For example, you can create an enterprise access rule that applies to requests sent to the Local Host enterprise network. When a request is handled in an array to which the enterprise policy containing this access rule is assigned, the rule will apply to the IP addresses in the Local Host network on the array member handling the request.
IP addresses that belong to a configurable enterprise network, but do not belong to any configurable array-level network are considered to be part of a residual network.
Note Packets from an IP address on a residual network are considered spoofed and are dropped. Forefront TMG creates a log entry every time that traffic to or from an IP address on a residual network is dropped. The source or destination network field for the log entry will consist of the word Residual followed by the name of the applicable enterprise network.
Build date: 7/12/2010