Problem: I am not able to connect from the LAN to the DMZ, through two ISA/TMG servers.
I have a LAN & DMZ network with a Perimeter network in between. A TMG 2010 server is protecting each, such as this:
LAN -->|tmg2010-A|<-- PERIMETER NETWORK -->|tmg2010-B|<-- DMZ1
I'm focusing on RemoteDesktop (RDP) for now, however the problem lies with all traffic which is not being proxied by tmg2010-A.
I can connect through the proxy (tmg2010-A) from LAN to DMZ1
I can RDP from PERIMETER NETWORK to DMZ
I have no Windows servers in the Perimeter network so I can not test RDP from LAN to the Perimeter network, however I can access it successfully using other access rules such as SSH.
I CAN NOT, RDP from LAN to DMZ1. When I attempt this, tmg2010-A, generates the error indicating it can not find the DMZ network. (Reference attached image: tmg2010-Aerror.jpg)
I have also attached a screen shot of the active network routes. As you will see, there is route directing the DMZ traffic (172.29.17.0) to the external interface for tmg2010-B (172.29.16.20) In addition to this, the default routers .16.1 & 16.2, both know how to find the .17.0 network, and also, are able to successfully access them.
I'm aware this is not a very common configuration, but it still should work as it's configured.
As a side note. I have configured a rule on tmg2010-A, permitting my workstation on the LAN, unrestricted outbound access.
Per the attached log error, this clearly appears to be a routing error, and not a firewall access rule error, as, the first hit logged in the screen shot, indicates the configured rule permitting all outbound is being correctly triggered and a connection initiated to the DMZ1 network.
Any thoughts on this?