Allow Traffic through Forefront TMG

I have 4 LAN to LAN VPNs terminating at my cyberoam gateway (front firewall). These are..

192.168.0.0/24
192.168.2.0/24
192.168.20/0/24
192.168.30.0/24

I also have another subnet local to the cyberoam (192.168.10.0/24) that I also want to allow through the tmg firewall.

I need to allow the traffic through the back firewall Forefront TMG 2007.

I have done all the things I think I need to with zero success.

I have added in the networks and created a network rule (routed).

I have tried creating a new network (called Remote subnets) and adding the subnets to this group

I have also tried creating 2 firewall rules to allow traffic each way from the remote subnets to the internal network and vice versa.

I can't see anything else to do and I've tried various configurations. There are no errors in the logs to work on

The Forefront server is on the 10.10.10.0/24 network with an ip address of 10.10.10.24. This has a 2nd NIC connected to the front firewall.

The address of the TMG (back firewall) is 10.0.0.2
The address to the Cyberoam (front firewall and VPN end point) 10.0.0.1

I know all the routing is okay as I can access the remote subnets from the subnet behind the TMG without a problem. Its just opening up the TMG firewall.
b_squaredAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

pwindellCommented:
I guess you probably don't want to hear from me since you started over on a new thread.  However I now know a little more about what you are doing then what I knew when I got involved before.

In your description above I don't see where you created the Static route on the Cyberoam nor where you added the IP range(s) that exist behind the TMG into the LAT on the Cyberroam.

I don't see in the description above where the Default Gateway is defined for hosts that are "between" the Cyberoam and the TMG.

Creating a new "network" on the TMG may or may not have been the right thing to do. But not enough infomation about the layout to say.  It will be a "black & white" thing,..it was either completely right to do that, or completely wrong to do it,..the is no gray area with that.

In the end you may have to upload a diagram that fills in the details.
0
b_squaredAuthor Commented:
I don't hold grudges, don't worry, just thought I would try and be clearer.
Routes are created on the Cyberoam by the creation of the VPNs and other subnets connected to it.
The 4 remote subnets are connected via 4 VPNs, so the routes are created this way.
192.168.10.0 (old network) is directly connected to the cyberoam, so the route is there.
10.0.0.0 is directly connected to the cyberoam, so the route is there.
10.10.10.0 isn't connected to the cyberoam, so the cyberoam is not aware of this, so I created a static route with 10.0.0.2 as the gateway (external ip address of the TMG).
The default gateway for the 10.10.10.0/24 subnet is 10.10.10.24 (TMG internal address). The TMG has a gateway of 10.0.0.1 (Cyberoam) There is only the TMG and Cyberoam on this network and they are directly connected.
If I disconnect the TMG from the setup and change the IP address of the cyberoam to 10.10.10.24 then everything works pefectly, both into and out of the network, as soon as I connect the TMG back in, all inbound traffic is blocked (as a firewall should) but I cannot find a way to allow it through. I will sort out a diagram in a minute
0
b_squaredAuthor Commented:
Here is a rough network image, showing the 4 remote subnets connected to the Cyberoam.
The old network (192.168.10.0/24) that is being replaced and the new network featuring TMG using EBS (10.10.10.0/24)
I hope this makes things clearer

network.jpg
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

pwindellCommented:
If I disconnect the TMG from the setup and change the IP address of the  cyberoam to 10.10.10.24 then everything works pefectly, both into and  out of the network, as soon as I connect the TMG back in, all inbound  traffic is blocked (as a firewall should) but I cannot find a way to  allow it through. I will sort out a diagram in a minute

That is what you should be doing in the first place.  This is what I origianlly meant when I suggested removing TMG from the box.  Yes it is part of the EBS package but I don't believe that TMG is not removable. It should not be any different that SBS2003 Premium with ISA2004 was.  But if it is not removable then just leave the "external" nic unplugged after you set the NIC to DHCP.

Beyond that I don't really see anything wrong.  The routes sound correct and if you created the Access Rule properly as I described before,...then it should work.  If it doesn't work,...then maybe it "just won't work".  I have been told by people who are closely familiar with EBS that the product has been such a disaster that MS is throwing it in the dumpster in it's current form.  There is supposed to be a major update coming out (if it hasn't already) that changes the structure so that the different components of the product can be split up onto different machines so that everything operates in a more logical and natural fashion that is more flexible and scalable to real world situations.  I was told the update is free.

But I am certainly not an "EBS Guy" by any stretch,...you may want to ask the vendor it was purchased from for details.  You may also have to call MS Support to get past what you are fighting with now, if you insist on running it with two nics.
0
pwindellCommented:
Additonal:

You said you "created networks" on the TMG,...and I said that may be completely right or completely wrong.  Well, with this diagram that would have been completely wrong.  All (every one of) the 192.168 networks and the 10.0.0.x networks would all already be in the External Network.  Creating other networks without a corresponding dedicated Nic to service them will screw it up.  
0
b_squaredAuthor Commented:
I thought so, it seemed to suggest that way
I also tried address ranges/subnets and created rules based on that.
Something else with EBS has gone wrong and we've lost the security server and can't get it back as TMG wasn't removed before it died, so it cannot be reinstalled (installer won't get past a certain point). So we are saying bye bye to EBS
It seems it works very well as long as its not put behind an exisiting firewall. I can see why MS dropped it. We're now testing out SBS and some other bits as a replacement
0
pwindellCommented:
SBS is just as bad,..or at least almost.  SBS is an absolute disaster when it comes to disaster recovery (no pun intended).  It also has hard limites on the number of users that can be on the network and will chop you off at the knews when it hits the limit.  SBS will not interact with other Domains in any way that you might expect it to.  Then you almost need an IT person who specializes in SBS just to deal with it on a daily basis because of all the odd things about SBS .  What is usually true in the SBS world is not true in the real world and what is true in the real world is not true in the SBS world.

Buy regular Server products,..not the special "package" products.
0
b_squaredAuthor Commented:
I need to use EBS or SBS due to licensing (I won't go into it). SBS although it has its limits will do everything we need.
EBS has all the same limitations, just a higher user limit (300).
 
0
pwindellCommented:
Ok,..well then I recommend you don't use SBS Premium unless you need the SQL Server.

Run with one nic,...just like any other host on the LAN

If you use SBS Premium then don't add the ISA component,...and run with a single nic.  I do like ISA,..that is not the problem,...but you already have a Firewall Product entrenched in the system now (Cyberoam),...I don't think you should get yourself into the mess and excess complexity of a Back-to-Back DMZ with two Firewalls in a situation that does not lend itself to that design,...and your system does not lend itself to that design due to the VPNs and how they are handled.
0
b_squaredAuthor Commented:
I didn't want the firewalls, but you have no choice with EBS. Its a huge pain to configure with a front and back firewall and people are missing it for this reason.
Not going to use SQL on that server, have another server lined up for that.
Thanks for the help.
0
DNadon57Commented:
b_squared, the configuration you have will work if things are defined properly.  I manage a network with a setup that's almost identical to yours and it's been in production for over a year now.   The only difference I can see is that my front firewall/router is a Fortinet device and my VPN tunnels for the external networks are terminated on the DMZ zone (the network between the router and TMG).  I did not have to define any rules in TMG to allow the networks through the firewall.  Instead, the remote networks are defined as internal networks to TMG.  You can confirm that they are internal by checking the internal networks properties in the Network Objects section of the toolbox tab in the firewall policy section of TMG.  They get defined when you specify the networks as trusted networks in the "Getting Started Wizard" for TMG.  Start with that and if they are defined, I'll check further and see what else you may be missing.

pwindell, EBS does require TMG and the security server.  It will not function properly without it.  It was a challenge to get it all working, though.  You are correct, MS is dropping the product from a marketing perspective but will continue to support it until it reaches end of life.  As far as I know there is no major updates coming to change the product as you indicated.  What they are doing is allowing those of us running the product to get licenses for the standalone version of all the products running in EBS such as Server 2008, Exchange 2007, SQL Server 2008 and so on.  

According to MS, the reason for dropping the product is that they say that with "cloud computing" and SaaS, there is no market for EBS.  I don't agree with that, though.  If they are dropping EBS but plan on continuing to market SBS, thier reasoning doesn't make sense to me.  It seems to me that sites that are big enough to run EBS would be less inclined to go with "cloud computing" or Windows Azure than sites that run SBS.  If your small enough to run SBS, I think you'd be more inclined to go with hosted services and eliminate the need for IT support than a site that's large enough to run EBS.  I think the real reason is that the product just doesn't work well and does require very knowledgable IT support.

I've been supporting Windows since Windows 3.1 days and to be honest when I first saw the marketing blurbs on EBS 2 years ago, it sounded like a great solution.  Unfortunately, the implementation has been less than stellar.  Sales were very low (or so I heard from the MS EBS support team) and I suspect support has been a challenge even for MS.  For example, I opened a problem with MS due to issues I was having with DPM 2007 running in my EBS network last October.  They never found a solution to the problem and I had EBS support, TMG support and DPM support involved.  Eventually I found a circumvention that worked until I installed SP2 for Windows 2008 which finally resolved the problem.

With all the issues I've encountered and still encounter with EBS, I no longer recommend EBS as a solution.  You're probably better off to go with the standalone products and Server 2008 Standard edition.  If you're interested in saving money, though, buy EBS then convert the licenses after June 30th and install Server 2008 Standard with the products you need, instead.  
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pwindellCommented:
The only difference I can see is that my front firewall/router is a  Fortinet device and my VPN tunnels for the external networks are  terminated on the DMZ zone (the network between the router and TMG).  I  did not have to define any rules in TMG to allow the networks through  the firewall.  Instead, the remote networks are defined as internal  networks to TMG.  You can confirm that they are internal by checking the  internal networks properties in the Network Objects section of the  toolbox tab in the firewall policy section of

They cannot be defined as Internal if they do not enter the TMG through the Internal Interface.  If they enter the TMG through the External Interface (like they are here) then they have to be left defaulted to External.

I don't think this even needs persued. The thread has already dragged on to the point that it was "restarted" fresh with the post you responded to,...the poster has already abandoned EBS for reasons even beyond this,....is going to run SBS instead (hopefully a single nic without ISA),....and I think this will just confuse and muddy the waters.

As far as I know there is no major updates coming to change the product  as you indicated.  What they are doing is allowing those of us running  the product to get licenses for the standalone version of all the  products running in EBS such as Server 2008, Exchange 2007, SQL Server  2008 and so on.

That is what I was referring to, but I did not have all the details about it.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.