As I pointed out in an earlier blog post today, the ISA/TMG support team have been busy reviewing and updating ISA firewall KB articles so that they can apply to the Forefront TMG firewall. It took a lot of work on their part to make this happen, so we have only the highest admiration and respect for their efforts.
However, sometimes the best of us get a little "slap happy" when we're forced with large volumes of work and tight deadlines. I think this was the case when the ISA/TMG support team updated this article:
The features and limitations of a single-homed ISA Server 2006, ISA Server 2004, or Microsoft Forefront Threat Management Gateway, Medium Business Edition computer
The article definitely applies to ISA 2004 and ISA 2006 firewalls, but Forefront TMG MBE? I don't think TMG MBE is supposed to work in hork mode at all (Hork mode is a single NIC ISA firewall that has had its security feature set stripped down due to the single NIC deployment). I might be wrong, but it's my implicit understanding that the Forefront TMG MBE firewall is only supported in the configuration created by the EBS installer. If you do things to marginalize the EBS and TMG's security posture, then you're likely going outside of a supported configuration.
Just a reminder -- friends don't let friends deploy ISA or TMG firewalls in hork mode :)
Think of your ISA or TMG firewall as a Polar Bear who wants to protect you
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
MVP — Forefront Edge Security (ISA/TMG/IAG)