none
later added public IPs on the TMGs external NIC are not reachable

    Question

  • Hi Guys,
    so far we had running an single ISA 2006 server (running on 2003 std.) on our network which is publishing our Exchange OWA 2010 & ActiveSync, Sharepoint-Sites and so on. This works perfekt, however, for security purposes and for a unique server landscape, we now wanted to install a new TMG 2010 server on server 2008 R2.

    We tried this change already two years before and it ended up in that we were not able to use the new TMG because not all of our public IPs on the external NIC were reachable from the internet (outside the network). So, we thought of a bug, we waited and now took a second try - even with all the new service packs and hotfixes released meanwhile... and -what shall i say- it still doesn't work.

    What we did: We first installed the new 2008 R2 server while our old ISA 2006 had still been in service. No problem so far, the configuration (similar to ISA 2006) worked good and even the import of the old ISA 2006 configuration had been no problem. Just the IP adresses of the external NIC had of course not been the same like those used on the still active ISA 2006, because both servers are located in the same network and connected to the same router. We used some IPs that still had beend free within the same range:
    The networks address is aaa.bbb.ccc.80, the gateway (router) address is aaa.bbb.ccc.81 and the ISA is hosting addresses aaa.bbb.ccc.82 to aaa.bbb.ccc.90 and the new TMG is initially (updateing, testing pruposes, etc) hosting aaa.bbb.ccc.91 - aaa.bbb.ccc.94 (network mask is 255.255.255.240) - at least both are using different ranges within the same network. Until here everything on the TMG worked fine - internet access, published SharePoint test sites, PINGs, etc

    On the day we wanted to switch to the new TMG, we shutdown the ISA and added the remaining ISA addresses to the TMGs external network card. We sat the right NAT IP for external communication - but only a few of the new adresses were reachable from the internet. From the TMG itself or within the internal network, the access to all published sites was no problem. But only one listener of the new addes addresses was working (and responding to pings) from the internet while the rest was neither reachable nor pingable.

    What we tried:
    - disabeling & reenableing NICs, restart server & services, reconfigure the listeners with other public IPs from the external NIC,...
    - logging of access to the published sites (no access had been recognised)

    We are quite desperate with this issue because -if you believe in search engines - nobody on the whole web seems to have this problem - but we are able to reproduce it again and again :-/

    Any ideas on this issue? We ran out of them...

    Thanks in advance!

    • Changed type finiusWI Thursday, November 01, 2012 12:03 PM
    Thursday, November 01, 2012 11:58 AM

Answers

  • Changing ENAT settings had no effect. Apparently, the import mechanism of TMG server is faulty. Only when the same rules are applied manually, it has no impact on the NICs afterwards.
    • Marked as answer by finiusWI Thursday, November 08, 2012 8:18 AM
    Thursday, November 08, 2012 8:18 AM

All replies

  • Hi,

    Thank you for the post.

    If you have only one External NIC, just ensure that all the ip addresses are in the same subnet. Then you can use publishing rule for different ip addresses.

    Regards,


    Nick Gu - MSFT

    Friday, November 02, 2012 5:11 AM
  • Hi Nick,

    the TMG server has 4 NICs: 2 are disconnected and disabled, 1 is connected to the internal network and one to the external network (ISP). For we only got one public subnet, there is only one subnet defined. Just the first half of the range is used on the still productive ISA and the second half is defined on the new TMG for testing purposes. 

    When we now add the first half of the public IP adresses oft the ISA server (and then of course shut down ISA afterwards) on the new TMG, these IPs are not reachable (or just one or two of them - it differs from try to try)

    Completly strange behaviour to me.

    Does anyone have heard about those issue?

    Friday, November 02, 2012 9:17 AM
  • Hi,

    Thank you for the post.

    Please check the ENAT settings, TMG will use the smallest IP configured on this interface if you choose the “Use the default IP Address” setting: http://blogs.technet.com/b/isablog/archive/2011/03/17/tmg-enhanced-nat-considerations-when-using-the-default-ip-address.aspx

    Regards,


    Nick Gu - MSFT

    Monday, November 05, 2012 7:46 AM
  • Changing ENAT settings had no effect. Apparently, the import mechanism of TMG server is faulty. Only when the same rules are applied manually, it has no impact on the NICs afterwards.
    • Marked as answer by finiusWI Thursday, November 08, 2012 8:18 AM
    Thursday, November 08, 2012 8:18 AM