Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

Troubleshooting
Research
Professional Opinions
Ask a Question
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

troubleshooting Question

Back to back ISA/TMG 2010's result in Network Routing Issue

Avatar of Matthew England
Matthew EnglandFlag for United States of America asked on
Microsoft Forefront ISA Server
7 Comments1 Solution1658 ViewsLast Modified:
Problem: I am not able to connect from the LAN to the DMZ, through two ISA/TMG servers.

I have a LAN & DMZ network with a Perimeter network in between. A TMG 2010 server is protecting each, such as this:

LAN -->|tmg2010-A|<-- PERIMETER NETWORK -->|tmg2010-B|<-- DMZ1

I'm focusing on RemoteDesktop (RDP) for now, however the problem lies with all traffic which is not being proxied by tmg2010-A.

I can connect through the proxy (tmg2010-A) from LAN to DMZ1
I can RDP from PERIMETER NETWORK to DMZ
I have no Windows servers in the Perimeter network so I can not test RDP from LAN to the Perimeter network, however I can access it successfully using other access rules such as SSH.
I CAN NOT, RDP from LAN to DMZ1. When I attempt this, tmg2010-A, generates the error indicating it can not find the DMZ network. (Reference attached image: tmg2010-Aerror.jpg)
Errors on LAN firewall.
I have also attached a screen shot of the active network routes. As you will see, there is route directing the DMZ traffic (172.29.17.0) to the external interface for tmg2010-B (172.29.16.20) In addition to this, the default routers .16.1 & 16.2, both know how to find the .17.0 network, and also, are able to successfully access them.
  Active Network Route's on LAN firewall.
I'm aware this is not a very common configuration, but it still should work as it's configured.

As a side note. I have configured a rule on tmg2010-A, permitting my workstation on the LAN, unrestricted outbound access.

Per the attached log error, this clearly appears to be a routing error, and not a firewall access rule error, as, the first hit logged in the screen shot, indicates the configured rule permitting all outbound is being correctly triggered and a connection initiated to the DMZ1 network.

Any thoughts on this?
ASKER CERTIFIED SOLUTION
Avatar of Matthew England
Matthew EnglandFlag of United States of America imageTechnology Consultant

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Commented:
This problem has been solved!
Unlock 1 Answer and 7 Comments.
See Answers