Forefront TMG 2010 - originating IP for outgoing traffic from local host

mercredi 10 mars 2010 11:33

0
Hello! Recently I've added two additional IP addresses to the WAN adapter's TCPIPv4 settings on our TMG 2010 and since then all traffic from localhost is originating from one of those IP addresses. It creates a problem with sending mail through SMTP because now some servers recognize our email traffic as spam (SPF, reverse lookup, ehlo greeting is not OK anymore). So, how can I change the source IP back to the "main" (55.55.79.246) ip adress?

Here's the sample results from ipconfig command:
```
C:\Users\mym>ipconfig

Windows IP Configuration


Ethernet adapter WAN1:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 55.55.79.243
   Subnet Mask . . . . . . . . . . . : 255.255.255.248
   IPv4 Address. . . . . . . . . . . : 55.55.79.245
   Subnet Mask . . . . . . . . . . . : 255.255.255.248
   IPv4 Address. . . . . . . . . . . : 55.55.79.246
   Subnet Mask . . . . . . . . . . . : 255.255.255.248
   Default Gateway . . . . . . . . . : 77.108.79.241
```
if I run ipconfig /all, all three IP's have (preferred) near them... May be it will work, if I can make "preferred" only one from them?

Toutes les réponses

mercredi 10 mars 2010 12:05

0

TMG should use the primary IP address bound to your external NIC as the source IP address.

If not, this should help:

http://blogs.technet.com/yuridiogenes/archive/2009/09/13/enhancing-nat-with-tmg.aspx

Cheers

JJ
Jason Jones | Forefront MVP | Silversands Ltd
mercredi 10 mars 2010 12:32

0

Thank you for a fast reply, however, TMG is not using the first ip address bound to NIC. In fact, it's using the last address assigned to NIC. As to the article - it's not possible to change the first default rule with name "Local Host Access" as well I can't create a new rule with a localhost as a source network...

Off course, I can change the Internet Access rule - but changes will apply only to Internal network, and other networks but not to the traffic originating from localhost. Or may be I am doing something not right?
mercredi 10 mars 2010 16:14

Auteur de réponse

0
There is a good public article that talks about this behavior. It seems to be specific to Windows 2008 and has to do with the TCP/IP stack changes.

http://support.microsoft.com/default.aspx?scid=kb%3bEN-US%3b969029
- Proposé comme réponse Nick Gu - MSFTMicrosoft Contingent Staff, Moderator lundi 15 mars 2010 11:51
- Non proposé comme réponse Mishutka lundi 15 mars 2010 18:58
jeudi 11 mars 2010 12:12

Modérateur

0

About the issue that you are facing, I'm not sure why it is not working for you. I have an environment with multiple IPs on the external NIC and this approach works just fine for my SMTP Publishing rule. Your network rule should be from the published Server (SMTP) to External using the IP that you want from the list.
Yuri Diogenes [MSFT] - http://blogs.technet.com/yuridiogenes
jeudi 11 mars 2010 12:32

0

My smtp server is located on Forefront TMG itself, so I need a rule to from localhost to internet and the problem that I can't create such rule. I've got error message: "The local host network cannot be included in a network rule"... Any workarounds here?
jeudi 11 mars 2010 14:27

Modérateur

0

That explain why is not working, you can't do that in the localhost as the error message says.

Also, correct me if I'm wrong, but are you are trying to do something like this?

Protocol based enhanced NAT is not supported

Issue: Forefront TMG cannot assign NAT IP addresses based on the protocol used (for example, HTTP traffic is assigned one IP address and SMTP another).

Cause: Protocol based enhanced NAT is not supported.

Solution: No workaround.

From: http://technet.microsoft.com/en-us/library/ee796231.aspx

Yuri Diogenes [MSFT] - http://blogs.technet.com/yuridiogenes
jeudi 11 mars 2010 19:43

0

As recommended by Microsoft we have installed Microsoft Exchange Server Edge Transport Role on this server, than Forefront Protection for Exchange and on top of that Forefront TMG.

Everything was ok except some problems with TMG fighting with Exchange with policy overwriting, like described here.

After that we published OWA, Activesync and Outlook anywhere. Everything was ok until we decided to publish our internal CRM and some websites...
For that purposes we assigned a few ip addresses to external interface, assigned SSL certs to them and everything was again ok, except with each new ip address assigned all outgoing traffic from TMG server was coming from that new ip address.

We absolutely don't need protocol based enhanced NAT, we just need the way to control how TMG selects the PREFERRED or SOURCE ip address (from the list of ip's assigned to external interface) for ALL outgoing traffic from localhost. Can we do this somehow?
jeudi 11 mars 2010 20:15

Modérateur

0

Ok, in this case you don't need ENAT. Two things that you can check:

1. Since you are using EMail Protection solution you should have within E-Mail Policy the SMTP Routes and on it you should have the External route which should bind to the IP that you will use for listener the SMTP Request. Do you have that?

2. Which IP is the one that appears on the default setting of your TCP/IP stack when you open the network properties for the WAN Interface?
Yuri Diogenes [MSFT] - http://blogs.technet.com/yuridiogenes
vendredi 12 mars 2010 09:01

0
Yuri, thank you for your suggestions.
1. Yes, we have EMail policy enabled and External route in-place, which was already configured to listen on external network on a selected IP address, the one that we need (55.55.79.246). And when we have an incoming SMTP request it is served from the correct ip (55.55.79.246), when we test incoming mail pass-through with a https://www.testexchangeconnectivity.com/, very usefult tool by the way, everything is green. BUT, when our SMTP server initiates SMTP connection to another server, the traffic goes already from the wrong IP address (55.55.79.243) and we start to have problems like rejected emails because of failed reverse lookup check and etc. Any ideas? Do you think it will work if we try to unassign the .246 ip from interface and add then immideately assign it back?
2. Well... Before my strange experiments with netsh tool yesterday we had our nice, sweet 55.55.79.246 ip there - the one that was configured first. All other IP's were assigned using the windows GUI later: properties -> advanced -> IP settings -> Add... After we assigned an additional ip, all outgoing traffic initiated by TMG began to use the new assigned ip.
  Today I have 55.55.79.243 there and .246 listed as an additional IP in advanced tab. I did this because I want to try to delete .246 and add it back in a few minutes. May be it will help?
vendredi 12 mars 2010 12:29

Modérateur

0
Correct, try to put the .246 there (to match with the address that it is SMTP listening) and add .243 as an additional IP. Reboot the box after that (just to make sure we come back with a new binding order) and then test it again.
Yuri Diogenes [MSFT] - http://blogs.technet.com/yuridiogenes
- Proposé comme réponse Nick Gu - MSFTMicrosoft Contingent Staff, Moderator dimanche 14 mars 2010 14:33
- Marqué comme réponse Nick Gu - MSFTMicrosoft Contingent Staff, Moderator lundi 15 mars 2010 11:51
- Non marqué comme réponse Mishutka lundi 15 mars 2010 18:57
lundi 15 mars 2010 18:39

0
Well... I tried to implement those changes on saturaday but results were a complete disaster...

Now I still have all outgoing traffic leaving from .243 but everything seems workings, at least. As the only solution available right now - I will change everything, so .243 will be our official mail exchanger instead of .246...
- Marqué comme réponse Nick Gu - MSFTMicrosoft Contingent Staff, Moderator mardi 16 mars 2010 04:05
mardi 16 mars 2010 04:05

Modérateur

0

Hi,

Just like Keith said, Windows Server 2008 has a new TCP/IP stack. When a single network interface has more than one IP address, the new stack selects the unicast address to use as the source IP address. Since you have a workaround, I will mark it as ‘Answered’.

If the issue still persists and you want to return to this question, please reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;969029

Regards,
Nick Gu - MSFT

jeudi 14 octobre 2010 20:34

Hello

There is a quite simple solution/workaround for it. The point is that this issue is not about Policys but Routing ;)

I did the following steps to set our EXCHANGESERVER 2010 outgoing IP to a different one then the default IP for outgoing traffic. (Means, the EXCHANGESERVER and ALL its traffic will go out using a different IP)

Here the steps:

1) "Exclude" the computer/server you want to route differently from the INTERNAL TO EXTERNAL (NAT).
and APPLY

2) CREATE A NEW NETWORK RULE (EXAMPLE EMAIL TO EXTERNAL)..where EMAIL would be a hint for you that this rule is about the EMAIL_SERVER.

- Network Realtionship > NAT
- Source Natworks    > put only the SERVER\COMPUTER you want to go out on the different IP
- Destination Networks > External
- NAT Address Selection > Use specific IP ADDRESS > Choose the IP you want

....APPLY and you're done.

CTO ilimitada s.a.

Proposé comme réponse Alex Zehnder jeudi 14 octobre 2010 20:34

Forefront TMG 2010 - originating IP for outgoing traffic from local host

Toutes les réponses

Produits

Ressources

Solutions

Mises à jour

Évaluations

Sites connexes

Formation

Certifications

Autres ressources

Support TechNet

Autres liens support