locked
TMG internal NLB

    Question

  • I have a strange issue with a TMG standalone array.
    I have enabled NLB on my 2 TMG servers on the internal NICs.
    TMG1 has 192.168.1.1 and TMG2 has ip 192.168.1.2
    Created a NLB/VIP 192.168.1.10 255.255.255.0

    Internal Network = 192.168.1.0 - 192.168.1.255

    When I configure on an internal server SERVER1 (that has ip = 192.168.1.21) with default gateway the IP of the TMG inernal NLB 192.168.1.10, TMG log says DENIED & a packet was dropped because TMG determined that the soource IP address is spoofed.
    Strangest thing is that on the server SERVER1 i get PING replies (but TMG says DENIED!!)

    When i configure on SERVER1 default gateway TMG1 (ip = 192.168.1.1) packets are DENIED in log and NO PING replies on SERVER1 , as it should be.
    Monday, September 13, 2010 2:22 PM

Answers

  • Disabled NLB on LAN changed Publishing rule to "appear from TMG computer" and works like a charm. Even if client has TMG1 as default gateway and TMG1 is down. Sites still work with this setting.
    • Marked as answer by dikkehaaj Tuesday, September 14, 2010 5:09 PM
    Tuesday, September 14, 2010 5:09 PM

All replies

  • If you got ping reply on the client and the TMG denies the traffic, there has to be something else that answer on your ping.
    Or is it something else installed on the TMG servers, like local antivirus/firewall or something like that?

    Do you allow ping from the internal or the server IP to the TMG (local host)? ping to the TMG is not allowed by default.

     

    Monday, September 13, 2010 7:29 PM
  • Yup that's the strange thing i get reply on the client (that has the VIP as default gateway) a reply on PING (and TMG says DENIED).
    I'm pinging google, also testen with 'telnet mail1.domain.com 25' same behaviour telnet session opens on the client (and for outbound 25 is no acces rule in TMG so it should be blocked)

    I have no allow rule for ping , as I told if i switch from VIP to static TMG1 IP PING is blocked if i switch to VIP it is DENIED but I  get response

    Clean R2 and TMG 2010 + sp1 install, further no software installed

    Monday, September 13, 2010 8:16 PM
  • Is this a two NIC deployment with an external interface?

    Just some basic for the network setup
    How is the binding order of the NICs, is the internal NIC on the top and is unused NIC disabled and at the bottom of the binding list?
    Do you only have a default gateway on the external NIC?

    Disable TCP offload:
    To disable TCP Offloading, use the following registry entry for task offloading for the TCP/IP protocol:
    Subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TCPIP\Parameters
    Entry: DisableTaskOffload
    Type: REG_DWORD
    Set this registry entry to 1 to disable all task-offloading from the TCP/IP transport.

     

    Tuesday, September 14, 2010 6:26 AM
  • First of all thanks for helping.

    The both TMG servers have 3 NICs (TMG servers are Virtuals)

    1 Perimeter (back firewall) NIC (WAN) with external IP and default gateway
    1 Internal NIC (LAN) with internal IP no default gateway
    1 Intra-array NIC with total different private IP than Internal NIC for intra-array traffic
    (*created a ; allow all Intra-Array & Local Host <-> Intra array & Local Host) rule

    On the external NICs NLB is enabled and works ok no traffic is passed if it isnt allowed.
    When we also enable NLB on the LAN NICs and on a client use this VIP as default gateway traffic is passed even when there is no allow rule for it

    The Intra-Array was in the binding list on top , I set now LAN on top.
    Also I Disable TCP offload now and test both settings

    I'll be back with results:

    - Binding order didnt fix it.
    - DisableTaskOffload also didnt fix it.
    Tuesday, September 14, 2010 6:45 AM
  • First of all thanks for helping.

    The both TMG servers have 3 NICs (TMG servers are Virtuals)

    1 Perimeter (back firewall) NIC (WAN) with external IP and default gateway
    1 Internal NIC (LAN) with internal IP no default gateway
    1 Intra-array NIC with total different private IP than Internal NIC for intra-array traffic
    (*created a ; allow all Intra-Array & Local Host <-> Intra array & Local Host) rule

    On the external NICs NLB is enabled and works ok no traffic is passed if it isnt allowed.
    When we also enable NLB on the LAN NICs and on a client use this VIP as default gateway traffic is passed even when there is no allow rule for it

    The Intra-Array was in the binding list on top , I set now LAN on top.
    Also I Disable TCP offload now and test both settings

    I'll be back with results:

    - Binding order didnt fix it.

    first of all, there's an issue of running integrated NLB on Hyper-V guest http://blogs.technet.com/b/isablog/archive/2009/12/22/how-to-get-nlb-to-work-with-forefront-tmg-when-running-in-hyper_2d00_v.aspx , also, make sure NLB is running on both of your array servers (FF TMG console --> Monitoring --> Services --> Integrated NLB)


    Also, there are some issues (maybe related to the above mentioned) about spoofing, you should not receive spoofing alerts in simple configuration. Spoofing generally means assymetric routing (packets flow by strange directions, not as expected). How did you setup array ? If you are running simple Edge or even 3-leg modes, you should not receive that alert
    Tuesday, September 14, 2010 7:20 AM
  • We use Multicast instead of Unicast, but (we use R2 hyper-v) I enabled the "Enable spoofing of MAC addresses" only on the LAN interface where the problem exists in my opinion.

    Problem still exists, traffic flows though and there is not access rule for it.

    I don't know where the spoof messages come from:
    - TMG1 LAN IP =  192.168.1.1 and TMG2 has ip 192.168.1.2 both 255.255.255.0
    - TMG1 WAN (perimeter) IP = 99.99.99.212 and TMG2 has ip 99.99.99.223 both 255.255.255.128  (and 5 VIP addresses)
    - TMG1 Intra-Arry IP = 172.21.3.1 and TMG2 has ip 172.21.3.2 both 255.255.255.0

    Internal = 192.168.1.0 - 192.168.1.255
    Intra-Array = 172.21.3.0 - 172.21.3.255

    How can the address from client 192.168.1.21 markes as spoofed as it is in Internal Network ?
    It is a back firewall config, 2 array members, intra-arry traffic over a dedicated NIC

    I have disabled NLB on LAN configed on the client default gateway = TMG1 and traffic is blocked and no spoof messages.

    Tuesday, September 14, 2010 8:03 AM
  • We use Multicast instead of Unicast, but (we use R2 hyper-v) I enabled the "Enable spoofing of MAC addresses" only on the LAN interface where the problem exists in my opinion.

    Problem still exists, traffic flows though and there is not access rule for it.

    I don't know where the spoof messages come from:
    - TMG1 LAN IP =  192.168.1.1 and TMG2 has ip 192.168.1.2 both 255.255.255.0
    - TMG1 WAN (perimeter) IP = 99.99.99.212 and TMG2 has ip 99.99.99.223 both 255.255.255.128  (and 5 VIP addresses)
    - TMG1 Intra-Arry IP = 172.21.3.1 and TMG2 has ip 172.21.3.2 both 255.255.255.0

    Internal = 192.168.1.0 - 192.168.1.255
    Intra-Array = 172.21.3.0 - 172.21.3.255

    How can the address from client 192.168.1.21 markes as spoofed as it is in Internal Network ?
    It is a back firewall config, 2 array members, intra-arry traffic over a dedicated NIC

    I have disabled NLB on LAN configed on the client default gateway = TMG1 and traffic is blocked and no spoof messages.


    just to make sure, what is Integrated NLB status shown in (Forefront TMG console --> Monitoring --> Services --> Integrated NLB) ?
    Tuesday, September 14, 2010 8:21 AM
  • Im terrible sorry i forgot to answer this question;

    - TMG1 and TMG2 , NLB = Runnig
    And I can confirm this as NLB on WAN is working like a charm, no probs there with spoof or not being denied.

    Intra-Array and Internal Network are on same VLAN m but different IP and subnet, can this cause issues?


    Enabled NLB again on LAN and telnet mail.doman.com 25 opens a telnet session (no access rule for it :-S)
    In TMG i see:
    -the policy rules do not allow the user request
    -a packet was dropped because tmg determined that the source ip is spoofed (ip = on TMG internal subnet)
    - a non SYN packet was dropped because it was sent by a source that does not have an established connection with the TMG computer (again source ip = on TMG internal subnet)

    • Edited by dikkehaaj Tuesday, September 14, 2010 9:16 AM log
    Tuesday, September 14, 2010 8:35 AM
  • I Found this post:

    http://tmgblog.richardhicks.com/2010/07/09/load-balancing-and-forefront-tmg-firewall-clients/

    Does this mean NLB on LAN will never work and client machines should poin to TMG ip ?

    Tuesday, September 14, 2010 9:51 AM
  • Disabled NLB on LAN changed Publishing rule to "appear from TMG computer" and works like a charm. Even if client has TMG1 as default gateway and TMG1 is down. Sites still work with this setting.
    • Marked as answer by dikkehaaj Tuesday, September 14, 2010 5:09 PM
    Tuesday, September 14, 2010 5:09 PM