MsExchange Blog Spot Telnet25

August 19, 2011

TMG 2010 RSA things you have to remember.

Filed under: General — telnet25 @ 2:49 pm

IF your setup requires you to setup TMG & RSA communication to meet two way government requirement and you have never done this keep reading hopefully the check list here will get you trough.

Assumption , you have configured your TMG server and you have RSA server in your network.


1. Add static route to RSA servers from TMG servers


2. Modify .Reg key on TMG server, specify what IP will be used for ACEClient


3. Go to network connections panel and make sure the Internal NIC is selected as the first NIC on the NIC bindings


4. make sure under networking from TMG, , Networks the RSA server IP addresses or Subnet is identified as internal subnet


5. You need to obtain SDconfig file from RSA Administrator (Generate Sdconfig from RSA server and save the file on TMG server on two places)


6. Locations for SDConfig on the TMG servers

  • C:\Windows\System32
  • E:\Program Files\Microsoft Forefront Threat Management Gateway\sdconfig



7. Download the tool from here ****Install this tool into same directory as the TMG binaries***


8. Your TMG and publishing rule for CAS2010 wont work unless you get the test working


1. On the TMG servers you have to make sure you have persistent static route added so that your TMG does know how to talk to RSA servers ( network routing)

Open CMD with Administrator privileges on TMG server and fallow the one line command ( Swap the IP address and proper DG , suits to your scenario)

RSA Server IP=

TMG Internal NIC = / 27    ( /27 =

TMG External NIC = / 27

My default gateway for TMG server is =

route add mask -p

Let me explain little bit what these mean here, it means any traffic comes to destination IP= will be routed to Internal NIC Default gateway =  on the TMG Server.

IF you want to have route to entire network, you would use Class less Subnet mask in this case it would be like this

This open entire network, not one host !!!!!!!!!!!!

route add mask -p

Delete Route ( if you make mistake and want to delete persistent route

route delete

IF you like to see static route table

route print


*****If there is no static route defined the TMG server will route the traffic to the external NIC= which is different subnet and Internal and external NIC, thus interfaces separated each other not only TMG firewall and most likely another ( CISCO etc) type of firewall. thus they wont allow to talk.****

Now on the TMG server you have to hack the register and tell TMG what the IP address will be used to talk to RSA server on each TMG server.




  • SDTI
  • AceClient


Oz Casey, Dedeal ( MVP north America)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server + (Blog) (Blog)


Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Create a free website or blog at

%d bloggers like this: