none
ISP redundancy and reverse proxy

    Question

  • Greetings, community!

    We have two EDGE TMG servers and two INTERNAL TMG servers.

    We have two providers with two dedicated external IP addresses each.

    I configure ISP Redundancy for each EDGE TMG servers with parameters:

    Each EDGE TMG server has two External NIC and one Internal NIC. 

    EDGE 1: Provider1_IP1 and Provider2_IP1

    EDGE 2: Provider1_IP2 and Provider2_IP2

    ISP Connections:

    Provider1 and Provider2

    So, the trouble:

    We have some published Web-Services, like OWA, ActiveSync, TerminalGatewayServers and others.

    Also we made 4 external DNS records for each Web-Service.

    For example:

    mail.domain.com Provider1_IP1

    mail.domain.com Provider1_IP2

    mail.domain.com Provider2_IP1

    mail.domain.com Provider2_IP2

    If we try to connect from external to any published Web-Services, we have big delay (~ 30 sec), and then it connected.

    After some tests we find that ONLY ONE EDGE TMG server is used for reverce proxy. IP Addresses from EDGE 1 is unavailable from external access. But it still works as Web-Proxy from Internal connections. Reverse-Proxy works only for EDGE 2 IP Addresses.

    If we shutdown EDGE 2 TMG server, then Reverse-Proxy for EDGE 1 IP addresses are works correctly.

    Why all 4 my external IP addresses are not works for reverse-proxy? Only 2 from one of my EDGE servers.

    Wednesday, July 16, 2014 12:33 PM

Answers

  • So, the solution was in selection of "Requests appear to come from the Forefront TMG computer" in HTTP/HTTPS redirection rule on Front-End DMZ TMG servers.
    Tuesday, September 2, 2014 4:59 AM

All replies

  • Hi, Joyce L Pactera!

    Thank you for reply.

    Yes, I configure my ISP by that instruction: http://technet.microsoft.com/en-us/library/dd440984.aspxBut I have my internal DNS, so I didn't create persistent routes.

    I think, the problem could be with:

    1. Listener on my Internal Servers. I have two rules on my Edge Servers, that transfer any HTTP/HTTPS requests from external to Internal TMG Servers NLB IP. All my web-published servers are published on Internal Servers;

    2. Maybe wrong TMG configuration...

    Friday, July 18, 2014 12:11 PM
  • So, I still try to solve my problem...

    When I try to connect from External to one of my EDGE1 IP addresses, I got these logs:

    LOGS on DMZ server (EDGE1):

    Failed Connection Attempt DMZ-TMG-01 21.07.2014 11:27:40 
    Log type: Firewall service 
    Status: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.  
    Rule: Publish TMGBE HTTP 
    Source: External (77.73.111.194:3427) 
    Destination: Internal (172.16.0.100:80) 
    Protocol: HTTP Server 
    Additional information 
    Number of bytes sent: 0 Number of bytes received: 0
    Processing time: 21000ms Original Client IP: 77.73.111.194 

    LOGS on INTERNAL server:

    Initiated Connection BLK-TMG-02 21.07.2014 11:27:20 
    Log type: Firewall service 
    Status: The operation completed successfully.  
    Source: External (77.73.111.194:3427) 
    Destination: Local Host (172.16.0.100:80) 
    Protocol: HTTP 
    Additional information 
    Number of bytes sent: 0 Number of bytes received: 0
    Processing time: 0ms Original Client IP: 77.73.111.194


    Closed Connection BLK-TMG-02 21.07.2014 11:27:40 
    Log type: Firewall service 
    Status: A connection was abortively closed after one of the peers sent an RST packet.  
    Source: External (77.73.111.194:3427) 
    Destination: Local Host (172.16.0.100:80) 
    Protocol: HTTP 
    Additional information 
    Number of bytes sent: 304 Number of bytes received: 192
    Processing time: 20281ms Original Client IP: 77.73.111.194




    When I try to connect my EDGE2 server external IP addresses, then:

    LOGS on DMZ server (EDGE2):

    Initiated Connection DMZ-TMG-02 21.07.2014 11:57:17 
    Log type: Firewall service 
    Status: The operation completed successfully.  
    Rule: Publish TMGBE HTTP 
    Source: External (77.73.111.194:3429) 
    Destination: Internal (172.16.0.100:80) 
    Protocol: HTTP Server 
    Additional information 
    Number of bytes sent: 0 Number of bytes received: 0
    Processing time: 0ms Original Client IP: 77.73.111.194


    Closed Connection DMZ-TMG-02 21.07.2014 11:57:17 
    Log type: Firewall service 
    Status: A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake.  
    Rule: Publish TMGBE HTTP 
    Source: External (77.73.111.194:3429) 
    Destination: Internal (172.16.0.100:80) 
    Protocol: HTTP Server 
    Additional information 
    Number of bytes sent: 534 Number of bytes received: 146
    Processing time: 203ms Original Client IP: 77.73.111.194

    Then traffic was redirected to HTTPS:

    Initiated Connection DMZ-TMG-02 21.07.2014 11:57:17 
    Log type: Firewall service 
    Status: The operation completed successfully.  
    Rule: Publish TMGBE HTTPS 
    Source: External (77.73.111.194:3430) 
    Destination: Internal (172.16.0.100:443) 
    Protocol: HTTPS Server 
    Additional information 
    Number of bytes sent: 0 Number of bytes received: 0
    Processing time: 0ms Original Client IP: 77.73.111.194

    LOGS on INTERNAL server:

    Failed Connection Attempt BLK-TMG-02 21.07.2014 11:57:17 
    Log type: Web Proxy (Reverse) 
    Status: 12311 The page must be viewed over a secure channel (Secure Sockets Layer (SSL)). Contact the server administrator.  
    Rule: Publish OWA 
    Source: External (77.73.111.194:3429) 
    Destination: Local Host (172.16.0.100:80) 
    Request: GET http://mail.domain.com/ 
    Filter information: Req ID: 0a314138; Compression: client=Yes, server=No, compress rate=0% decompress rate=0% 
    Protocol: http 
    User: anonymous 
    Additional information 
    Client agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
    Object source: (No source information is available.)
    Cache info: 0x0
    Processing time: 1 MIME type:  

    It's OK, because IIS require SSL. Then:

    Initiated Connection BLK-TMG-02 21.07.2014 11:57:18 
    Log type: Firewall service 
    Status: The operation completed successfully.  
    Source: External (77.73.111.194:3429) 
    Destination: Local Host (172.16.0.100:80) 
    Protocol: HTTP 
    Additional information 
    Number of bytes sent: 0 Number of bytes received: 0
    Processing time: 0ms Original Client IP: 77.73.111.194 

    Closed Connection BLK-TMG-02 21.07.2014 11:57:18 
    Log type: Firewall service 
    Status: A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake.  
    Source: External (77.73.111.194:3429) 
    Destination: Local Host (172.16.0.100:80) 
    Protocol: HTTP 
    Additional information 
    Number of bytes sent: 786 Number of bytes received: 318
    Processing time: 15ms Original Client IP: 77.73.111.194

    And HTTPS:

    Allowed Connection BLK-TMG-02 21.07.2014 11:57:17 
    Log type: Web Proxy (Reverse) 
    Status: 302 Moved Temporarily 
    Rule: Publish OWA 
    Source: External (77.73.111.194:3430) 
    Destination: Local Host (10.1.200.129:443) 
    Request: GET http://mail.domain.com/ 
    Filter information: Req ID: 0a31413a; Compression: client=Yes, server=No, compress rate=0% decompress rate=0% 
    Protocol: https 
    User: anonymous 
    Additional information 
    Client agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
    Object source: Internet (Source is the Internet. Object was added to the cache.)
    Cache info: 0x40000000 (Response should not be cached.)
    Processing time: 1 MIME type: text/html; charset=UTF-8 



    I can't understand the difference between there servers. If I shutdown EDGE2, the Publishing will work fine through EDGE1.

    Monday, July 21, 2014 8:06 AM
  • I found that ISP isn't works properly.

    Traffic going through only one of my DMZ servers. But through 2 External IP's on that DMZ server. For example, if it's DMZ 1 server, that traffic going through Provider1_IP1 and Provider2_IP1 addresses.

    Maybe somebody knows why ISP does not works for two DMZ servers with 2 external IP each?

    Wednesday, July 30, 2014 11:36 AM
  • So, the solution was in selection of "Requests appear to come from the Forefront TMG computer" in HTTP/HTTPS redirection rule on Front-End DMZ TMG servers.
    Tuesday, September 2, 2014 4:59 AM