Allow Traffic through Forefront TMG
I have 4 LAN to LAN VPNs terminating at my cyberoam gateway (front firewall). These are..
192.168.0.0/24
192.168.2.0/24
192.168.20/0/24
192.168.30.0/24
I also have another subnet local to the cyberoam (192.168.10.0/24) that I also want to allow through the tmg firewall.
I need to allow the traffic through the back firewall Forefront TMG 2007.
I have done all the things I think I need to with zero success.
I have added in the networks and created a network rule (routed).
I have tried creating a new network (called Remote subnets) and adding the subnets to this group
I have also tried creating 2 firewall rules to allow traffic each way from the remote subnets to the internal network and vice versa.
I can't see anything else to do and I've tried various configurations. There are no errors in the logs to work on
The Forefront server is on the 10.10.10.0/24 network with an ip address of 10.10.10.24. This has a 2nd NIC connected to the front firewall.
The address of the TMG (back firewall) is 10.0.0.2
The address to the Cyberoam (front firewall and VPN end point) 10.0.0.1
I know all the routing is okay as I can access the remote subnets from the subnet behind the TMG without a problem. Its just opening up the TMG firewall.
192.168.0.0/24
192.168.2.0/24
192.168.20/0/24
192.168.30.0/24
I also have another subnet local to the cyberoam (192.168.10.0/24) that I also want to allow through the tmg firewall.
I need to allow the traffic through the back firewall Forefront TMG 2007.
I have done all the things I think I need to with zero success.
I have added in the networks and created a network rule (routed).
I have tried creating a new network (called Remote subnets) and adding the subnets to this group
I have also tried creating 2 firewall rules to allow traffic each way from the remote subnets to the internal network and vice versa.
I can't see anything else to do and I've tried various configurations. There are no errors in the logs to work on
The Forefront server is on the 10.10.10.0/24 network with an ip address of 10.10.10.24. This has a 2nd NIC connected to the front firewall.
The address of the TMG (back firewall) is 10.0.0.2
The address to the Cyberoam (front firewall and VPN end point) 10.0.0.1
I know all the routing is okay as I can access the remote subnets from the subnet behind the TMG without a problem. Its just opening up the TMG firewall.
ASKER
I don't hold grudges, don't worry, just thought I would try and be clearer.
Routes are created on the Cyberoam by the creation of the VPNs and other subnets connected to it.
The 4 remote subnets are connected via 4 VPNs, so the routes are created this way.
192.168.10.0 (old network) is directly connected to the cyberoam, so the route is there.
10.0.0.0 is directly connected to the cyberoam, so the route is there.
10.10.10.0 isn't connected to the cyberoam, so the cyberoam is not aware of this, so I created a static route with 10.0.0.2 as the gateway (external ip address of the TMG).
The default gateway for the 10.10.10.0/24 subnet is 10.10.10.24 (TMG internal address). The TMG has a gateway of 10.0.0.1 (Cyberoam) There is only the TMG and Cyberoam on this network and they are directly connected.
If I disconnect the TMG from the setup and change the IP address of the cyberoam to 10.10.10.24 then everything works pefectly, both into and out of the network, as soon as I connect the TMG back in, all inbound traffic is blocked (as a firewall should) but I cannot find a way to allow it through. I will sort out a diagram in a minute
Routes are created on the Cyberoam by the creation of the VPNs and other subnets connected to it.
The 4 remote subnets are connected via 4 VPNs, so the routes are created this way.
192.168.10.0 (old network) is directly connected to the cyberoam, so the route is there.
10.0.0.0 is directly connected to the cyberoam, so the route is there.
10.10.10.0 isn't connected to the cyberoam, so the cyberoam is not aware of this, so I created a static route with 10.0.0.2 as the gateway (external ip address of the TMG).
The default gateway for the 10.10.10.0/24 subnet is 10.10.10.24 (TMG internal address). The TMG has a gateway of 10.0.0.1 (Cyberoam) There is only the TMG and Cyberoam on this network and they are directly connected.
If I disconnect the TMG from the setup and change the IP address of the cyberoam to 10.10.10.24 then everything works pefectly, both into and out of the network, as soon as I connect the TMG back in, all inbound traffic is blocked (as a firewall should) but I cannot find a way to allow it through. I will sort out a diagram in a minute
ASKER
Here is a rough network image, showing the 4 remote subnets connected to the Cyberoam.
The old network (192.168.10.0/24) that is being replaced and the new network featuring TMG using EBS (10.10.10.0/24)
I hope this makes things clearer
network.jpg
The old network (192.168.10.0/24) that is being replaced and the new network featuring TMG using EBS (10.10.10.0/24)
I hope this makes things clearer
network.jpg
If I disconnect the TMG from the setup and change the IP address of the cyberoam to 10.10.10.24 then everything works pefectly, both into and out of the network, as soon as I connect the TMG back in, all inbound traffic is blocked (as a firewall should) but I cannot find a way to allow it through. I will sort out a diagram in a minute
That is what you should be doing in the first place. This is what I origianlly meant when I suggested removing TMG from the box. Yes it is part of the EBS package but I don't believe that TMG is not removable. It should not be any different that SBS2003 Premium with ISA2004 was. But if it is not removable then just leave the "external" nic unplugged after you set the NIC to DHCP.
Beyond that I don't really see anything wrong. The routes sound correct and if you created the Access Rule properly as I described before,...then it should work. If it doesn't work,...then maybe it "just won't work". I have been told by people who are closely familiar with EBS that the product has been such a disaster that MS is throwing it in the dumpster in it's current form. There is supposed to be a major update coming out (if it hasn't already) that changes the structure so that the different components of the product can be split up onto different machines so that everything operates in a more logical and natural fashion that is more flexible and scalable to real world situations. I was told the update is free.
But I am certainly not an "EBS Guy" by any stretch,...you may want to ask the vendor it was purchased from for details. You may also have to call MS Support to get past what you are fighting with now, if you insist on running it with two nics.
That is what you should be doing in the first place. This is what I origianlly meant when I suggested removing TMG from the box. Yes it is part of the EBS package but I don't believe that TMG is not removable. It should not be any different that SBS2003 Premium with ISA2004 was. But if it is not removable then just leave the "external" nic unplugged after you set the NIC to DHCP.
Beyond that I don't really see anything wrong. The routes sound correct and if you created the Access Rule properly as I described before,...then it should work. If it doesn't work,...then maybe it "just won't work". I have been told by people who are closely familiar with EBS that the product has been such a disaster that MS is throwing it in the dumpster in it's current form. There is supposed to be a major update coming out (if it hasn't already) that changes the structure so that the different components of the product can be split up onto different machines so that everything operates in a more logical and natural fashion that is more flexible and scalable to real world situations. I was told the update is free.
But I am certainly not an "EBS Guy" by any stretch,...you may want to ask the vendor it was purchased from for details. You may also have to call MS Support to get past what you are fighting with now, if you insist on running it with two nics.
Additonal:
You said you "created networks" on the TMG,...and I said that may be completely right or completely wrong. Well, with this diagram that would have been completely wrong. All (every one of) the 192.168 networks and the 10.0.0.x networks would all already be in the External Network. Creating other networks without a corresponding dedicated Nic to service them will screw it up.
You said you "created networks" on the TMG,...and I said that may be completely right or completely wrong. Well, with this diagram that would have been completely wrong. All (every one of) the 192.168 networks and the 10.0.0.x networks would all already be in the External Network. Creating other networks without a corresponding dedicated Nic to service them will screw it up.
ASKER
I thought so, it seemed to suggest that way
I also tried address ranges/subnets and created rules based on that.
Something else with EBS has gone wrong and we've lost the security server and can't get it back as TMG wasn't removed before it died, so it cannot be reinstalled (installer won't get past a certain point). So we are saying bye bye to EBS
It seems it works very well as long as its not put behind an exisiting firewall. I can see why MS dropped it. We're now testing out SBS and some other bits as a replacement
I also tried address ranges/subnets and created rules based on that.
Something else with EBS has gone wrong and we've lost the security server and can't get it back as TMG wasn't removed before it died, so it cannot be reinstalled (installer won't get past a certain point). So we are saying bye bye to EBS
It seems it works very well as long as its not put behind an exisiting firewall. I can see why MS dropped it. We're now testing out SBS and some other bits as a replacement
SBS is just as bad,..or at least almost. SBS is an absolute disaster when it comes to disaster recovery (no pun intended). It also has hard limites on the number of users that can be on the network and will chop you off at the knews when it hits the limit. SBS will not interact with other Domains in any way that you might expect it to. Then you almost need an IT person who specializes in SBS just to deal with it on a daily basis because of all the odd things about SBS . What is usually true in the SBS world is not true in the real world and what is true in the real world is not true in the SBS world.
Buy regular Server products,..not the special "package" products.
Buy regular Server products,..not the special "package" products.
ASKER
I need to use EBS or SBS due to licensing (I won't go into it). SBS although it has its limits will do everything we need.
EBS has all the same limitations, just a higher user limit (300).
EBS has all the same limitations, just a higher user limit (300).
Ok,..well then I recommend you don't use SBS Premium unless you need the SQL Server.
Run with one nic,...just like any other host on the LAN
If you use SBS Premium then don't add the ISA component,...and run with a single nic. I do like ISA,..that is not the problem,...but you already have a Firewall Product entrenched in the system now (Cyberoam),...I don't think you should get yourself into the mess and excess complexity of a Back-to-Back DMZ with two Firewalls in a situation that does not lend itself to that design,...and your system does not lend itself to that design due to the VPNs and how they are handled.
Run with one nic,...just like any other host on the LAN
If you use SBS Premium then don't add the ISA component,...and run with a single nic. I do like ISA,..that is not the problem,...but you already have a Firewall Product entrenched in the system now (Cyberoam),...I don't think you should get yourself into the mess and excess complexity of a Back-to-Back DMZ with two Firewalls in a situation that does not lend itself to that design,...and your system does not lend itself to that design due to the VPNs and how they are handled.
ASKER
I didn't want the firewalls, but you have no choice with EBS. Its a huge pain to configure with a front and back firewall and people are missing it for this reason.
Not going to use SQL on that server, have another server lined up for that.
Thanks for the help.
Not going to use SQL on that server, have another server lined up for that.
Thanks for the help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
In your description above I don't see where you created the Static route on the Cyberoam nor where you added the IP range(s) that exist behind the TMG into the LAT on the Cyberroam.
I don't see in the description above where the Default Gateway is defined for hosts that are "between" the Cyberoam and the TMG.
Creating a new "network" on the TMG may or may not have been the right thing to do. But not enough infomation about the layout to say. It will be a "black & white" thing,..it was either completely right to do that, or completely wrong to do it,..the is no gray area with that.
In the end you may have to upload a diagram that fills in the details.