We help IT Professionals succeed at work.

Back to back ISA/TMG 2010's result in Network Routing Issue

Matthew England
Matthew England used Ask the Experts™
on
Problem: I am not able to connect from the LAN to the DMZ, through two ISA/TMG servers.

I have a LAN & DMZ network with a Perimeter network in between. A TMG 2010 server is protecting each, such as this:

LAN -->|tmg2010-A|<-- PERIMETER NETWORK -->|tmg2010-B|<-- DMZ1

I'm focusing on RemoteDesktop (RDP) for now, however the problem lies with all traffic which is not being proxied by tmg2010-A.

I can connect through the proxy (tmg2010-A) from LAN to DMZ1
I can RDP from PERIMETER NETWORK to DMZ
I have no Windows servers in the Perimeter network so I can not test RDP from LAN to the Perimeter network, however I can access it successfully using other access rules such as SSH.
I CAN NOT, RDP from LAN to DMZ1. When I attempt this, tmg2010-A, generates the error indicating it can not find the DMZ network. (Reference attached image: tmg2010-Aerror.jpg)
Errors on LAN firewall.
I have also attached a screen shot of the active network routes. As you will see, there is route directing the DMZ traffic (172.29.17.0) to the external interface for tmg2010-B (172.29.16.20) In addition to this, the default routers .16.1 & 16.2, both know how to find the .17.0 network, and also, are able to successfully access them.
  Active Network Route's on LAN firewall.
I'm aware this is not a very common configuration, but it still should work as it's configured.

As a side note. I have configured a rule on tmg2010-A, permitting my workstation on the LAN, unrestricted outbound access.

Per the attached log error, this clearly appears to be a routing error, and not a firewall access rule error, as, the first hit logged in the screen shot, indicates the configured rule permitting all outbound is being correctly triggered and a connection initiated to the DMZ1 network.

Any thoughts on this?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Try to add in TMG-A network 172.29.17.* as external
Keith AlabasterEnterprise Architect
Top Expert 2008

Commented:
als315 is on the right track.

on the internal tmg box, create a new network called inside-dmz and associate the ip addresses 172.29.17.0 - 172.29.17.255 (or whatever the full DMZ range has) but DO NOT associate the network with ANY interface or nic.
create an network relationship from internal to inside-dmz as 'route', not NAT and then add access rules between internal and inside-dmz and vice versa.

this will allow web traffic to go out destined for external through the NAT rules and all other traffic (such as rdp) that is destined for the dmz to be nornal routed traffic

Keith
ISA & Forefront MVP
Matthew EnglandTechnology Consultant

Author

Commented:
Unless I'm missing something, ISA/TMG doesn't allow you to explicitly define an network as External. The "External" network group is defined as any undefined/unprotected network.

I was able to solve my problem by removing the DMZ1 network from the list of defined networks, and treating it as External on TMG-A, (i.e. using the "External" network in the set of rules), and doing the same with LAN on TMG-B.

While this works, it's not really ideal, as it doesn't allow me to distinguish one semi-trusted network, from another, or from any other untrusted network/host. At the present time, this isn't an issue, as I only have the three networks, and my external firewall & router are capable of blocking untrusted hosts, but I still don't like that I can't define a rule with a network that is not directly attached to the ISA/TMG.

As a summary, ALS315, you discribed exactly how I HAD it set up, when it wasn't working, except that I have no NAT rules/routes defined on my ISA/TMG servers as they are all attached to private networks.

So I guess to rephrase my question a bit, is there a way to define ISA/TMG rules based on remote networks (of which no interface of the ISA/TMG server is attached to directly), in order to permit a more granular level of access control, without having to explicitly define individual hosts/IP addresses in the Computers list of Network Objects?
Keith AlabasterEnterprise Architect
Top Expert 2008
Commented:
yes - you are missing something I think. The network that ISA/FTMG calls 'external' incoporates EVERY IP address that is not declared within ISA or FTMG. By creating a new network and incorporating the ip addresses in the DMZ they become declared. The fact that you have to go through an external nic to get to them is irrelevant.

For example, I have a network created on my FTMG box with all of Microsofts public IP addresses in it. (At least the ones that I need to know about).
I can now make access rules between internal and MS-NET that may be completely different to my standard rules associated with internal to external. As mentioned, the fact that the new network uses ip addresses that are external to the ISA or the FTMG is not relevant.
One addition to Keith:
172.29.17.* is "private" range of IP's and it is necessary to add it in networks to be routable.
Technology Consultant
Commented:
I found my answer. In short, it is not a supported configuration on ISA/TMG. Because the traffic is coming from a network, which the remote ISA/TMG server is not directly attached to, it drops it it as spoofed. So the only way to route from a network attached to one ISA/TMG to another a network attached to a different ISA/TMG server, (even though a simi-trusted perimeter network, using private IP spaces), is to treat the remote network as External by not defining it in ISA/TMG's networks.

The following is an excerpt from Microsoft TechNet, outlining rules for configuring Networks:
(http://technet.microsoft.com/en-us/library/cc995185.aspx)

"Each network you create must have a dedicated network adapter associated with it. For example, to create a topology that includes the internal corporate network, the Internet, and a perimeter network, three network adapters must be installed and enabled on the Forefront TMG computer. There are some exceptions. In a back-to-back firewall configuration, where the Internet is behind a perimeter network, there is no adapter associated with the external network. In addition, a VPN site-to-site network object does not have an adapter associated with it.

All IP addresses that can be reached directly from a network adapter must be defined as part of the Forefront TMG network that is associated with the adapter. All remote subnets must be added correctly to the network definition, and the IP address range of the network must match the routing table. Routes should be defined in the routing table for each remote subnet."

"A packet is considered spoofed (and therefore dropped) if one of the following is true:

The packet contains a source IP address that (according to the routing table) is not reachable through a network adapter associated with the network.

The packet contains a source IP address that does not belong to the address range of a network associated with the adapter."


I'm not at all thrilled, but it looks like that's my answer.
Matthew EnglandTechnology Consultant

Author

Commented:
I have attempted several times to close this issue using the Accept and Award Points link, however, it keeps telling me my Point split is invalid.

I would like to have this question closed, accepting http:#a33167222 as the solution.

Additionally I would like to split the points with:
  - 250 points allocated to http:a33156262,
  - 250 points allocated to http:a33128637.

My closing comment is below:

"My last comment was selected as the answer as it best explains the problem, and provides documentation supporting the problem with my original configuration as well as a solution to the original question.

Points are being awarded to both experts who participated, as their comments, help me to begin digging in the right direction to find a resolution to my issue & their assistance, while having not directly resolved my original issue, was helpful."