It's for you to decide whether only a domain-joined TMG can provide "proper" delegation. There is the option of using LDAP from a non-domain-joined TMG server. I do prefer the domain-joined TMG approach myself, but some of my customers just can't get that approved by their security people, generally because of bias and FUD against Windows hosts. It's my experience that you can't use TMG's FBA when your CAS is configured for FBA. In such cases, I've created a separate OWA virtual directory for that with a different port number like 444 or 4433 and configured it for Basic Authentication. You could use a different IP address as well.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

I am in the process of creating a design for what will be a production firewall topology. One of my design goals is to move from a single edge firewall to a back to back firewall configuration. My intent is to use a non-domain TMG server for my front-end firewall and a domain joined TMG server for my back-end firewall. I am looking for specific guidance on the configuration of the CAS role in this configuration. My primary concern is that it seems only a domain joined TMG server can provide the proper contrained delegation that is required when hosting forms based authentication. Is it then the de facto recommendation that instead of using FBA on the TMG server I would just create an access rule and allow the CAS role holder in the perimeter network to host its own FBA? Thank you in advance.

It's for you to decide whether only a domain-joined TMG can provide "proper" delegation. There is the option of using LDAP from a non-domain-joined TMG server. I do prefer the domain-joined TMG approach myself, but some of my customers just can't get that approved by their security people, generally because of bias and FUD against Windows hosts. It's my experience that you can't use TMG's FBA when your CAS is configured for FBA. In such cases, I've created a separate OWA virtual directory for that with a different port number like 444 or 4433 and configured it for Basic Authentication. You could use a different IP address as well.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."