Traffic Being Blocked RRS feed

  • Question

  • I'm having some trouble getting Forefront TMG to work properly.  I have created a rule to allow all traffic from the FTMG server to any network, and that rule works just fine.  However traffic returned from such requests is denied. 

    For example, if I try to browse a website, I see that the request is sent out and allowed, but that the response back from the web server is being denied.  It's like it's not tracking stateful information. 

    This is preventing the server from funcitoning at all, I can't even get my server to activate.  I'm running Windos 2008 Server Standard, 32 bit.  Any help would be gratly appreciated.
    Tuesday, December 1, 2009 5:28 PM


All replies

  • Hi,

    you are running TMG on a Windows Server 2008 32 bit? This is not possible.
    Please help me to understand you correctly.
    If you try to open a website through an internal client through TMG to an external webserver you get these error message?
    You have to create an allow rule to allow traffic from INTERNAL to external for a specific set of clients and the clients must be a SecureNAT, Firewall Client or Webproxy client.

    regards Marc
    Wednesday, December 2, 2009 5:36 AM
  • It looks like you have an error in your IP/Routing/Network settings so that TMG detects the traffic returned from the request as spoofed (look in the logg to verify spoof is the deny cause, it is in the "Result Code" field)

    /Kent Nordström

    Wednesday, December 2, 2009 6:18 AM
  • Marc, you're correct, it's 64 bit, my mistake.  Access to external sites actually works.  It's access to my internal sites that don't.  The rule is in place that allows traffic out, and I can see from the monitor that outbound traffic is allowed.

    Kent, the result code field doesn't mention a spoofed packet, but it does say that the TCP checksum is bad (0xc0040031 FWX_E_BAD_TCP_CHECKSUM_DROPPED) on the reply packets back from the internal website.

    If it helps, I have two NICs in the system, one public, one private.  The public NIC has the gateway and DNS servers configured, the private NIC is just on the local subnet and does not need to access beyond it's own subnet.
    Wednesday, December 2, 2009 2:55 PM
  • It looks like I should have noticed the checksum error earlier.  Here was the fix:  http://support.microsoft.com/kb/904946

    Thanks for all your help.
    • Marked as answer by Dan112233 Wednesday, December 2, 2009 3:04 PM
    Wednesday, December 2, 2009 3:04 PM