Forefront Edge Security TechCenter >
Forefront Edge Security Forums
>
Forefront Edge Security - Internet Access
>
TMG RC1 - Multiple External Networks - spoofed packet error
TMG RC1 - Multiple External Networks - spoofed packet error
- I have TMG RC1 running. I have 3 NICS. 1 Internal, 1 the default external, 1 an additional External (second ISP). I am set up with ISP redundancy and this is working.
I want to take advantage of the second ISP additional inbound IP access to web sites and MX data.
If I ping an IP address on the second external NIC I see the packet on TMG and get the following error: A packet was dropped because Forefront TMG determined that the source IP address is spoofed. I allow PING inbound on that network.
I also have a Policy rule to allow an address on the second external NIC for OWA access. If I telnet port 443 I get the same spoofing error.
What am I missing? Maybe I am assuming the concept will work and it won't?
Any help is appreciated. Is this the correct Forum?
Thanks.
Doug
All Replies
- "ISP Redundancy" - which mode; falover or load-sharing?
If you chose failover, the secondary ISP link is considered offline until the primary link is offline.
Any traffic received at the offline link will be dropped as "spoofed".
Jim Harrison Forefront Edge CS - Hi Jim,
Thanks for the response.
The ISP redundancy is in Failover and Load Balancing mode.
Somehow I get the feeling that I am defining the secondary "External" Network incorrectly.
The primary ISP NIC was defined to the adapter with the IP address that all work. This is shown as the "External" network.
I added an additional Netork that I defined as "External" and attached the NIC with the IP address that are coming in as being spoofed.
I suspect that this was not the correct way to do this.
I can't really find anything explaining how to do this in documentation.
Doug - You're correct - adding another network was the wrong process.
By default, any NIC that does not fall into any of the protected networks definition is automatically added to teh "External" network.
You should delete the custom network and let TMG manage the assignment.
Here's only part of what Bing returns for "technet tmg 'isp redundancy'"
http://technet.microsoft.com/en-us/library/dd897038.aspx
http://technet.microsoft.com/en-us/library/dd440984.aspx
http://blogs.technet.com/isablog/archive/2009/02/16/keeping-high-availability-with-forefront-tmg-s-isp-redundancy-feature.aspx
http://blogs.technet.com/forefront/archive/2009/03/10/forefront-tmg-feature-deepdive-isp-redundancy.aspx
Jim Harrison Forefront Edge CS- Proposed As Answer byJim Harrison IsaDewd Monday, November 02, 2009 7:49 PM
- Hi Jim,
Well that certainly made a difference.
In the TMG logs I see the packets coming into the IP address that is on the secondary NIC card.
The log shows the traffic as initiated.
I never see a reply back to the source however.
I have a both a HTTP as well as an HTTPs policy for both IP's for both NICS.
The IP on th primary NIC works fine. The IP going via the secondary never gets anything returned.
I have Wireshark running on the destination machines and do not see the traffic when the secondary IP was used.
So the traffice for the secondary seems to arrive at TMG, nothing is blocked, but it never gets routed to the destination.
I did review the documents you provided links for, and I think I have everything set accordingly but clearly I am not doing something right.
Any other ideas?
Thanks.
Doug You say "HTTP policy" - what exactly do you mean; access rule, publishing rule?
can you describe the rule (and listener) configuration in detail?
Jim Harrison Forefront Edge CS- I have a publishing rule for OWA (HTTPS) to Exchange 2007. For the IP address on the primary NIC, it works fine. I added the IP address from the seconday NIC pointed to the same certificate. Basic Authentication, FBA with AD. No acess on secondary IP. This is a typical OWA rule.
I also had a Publishing rule for web sites (HTTP) on a server. Again IP address on primary NIC all works fine. Added the IP from the seconadry NIC - no access on secondary IP. This is a typical Web publishing rule.
I am not sure how I can add screen shots if you need more detail.
Doug - Just to make things simpler, I can't even PING the scondary IP.
Ping to the primary IP work fine. Pings to the secondary never go through. - I am still having the problem that any IP's on the secondary NIC will not get through to the destination server.
Does anybody have any other ideas?
I will be installing the RTM but I don't get the feelingit will resolve what evidently is some setup problem on my side.
Thanhks for any help.
Doug
