TMG - Internal Clients Access to External OWA URL Flagged as Spoofed.
Posted on 2010-11-20
I need a little help or guidance to set me in the right direction.
I am in the middle of installing a Forefront TMG server to be used as an Exchange edge server on a DMZ that is currently behind an ASA. The TMG server currently has 2 nics, one which is the external interface with an IP of 10.2.2.2 and internal interface which apart of the inside network with the IP of 10.25.50.2. OWA is currently published and I am able to get to OWA from the outside world. My problem is the internal clients. When an internal client attempts to access OWA using the external URL of mail.yyy.com the TMG server is flagging the connection as spoofed here is a copy of the log from TMG:
Log type: Firewall service
Status: A packet was dropped because Forefront TMG determined that the source IP address is spoofed.
Rule: None - see Result Code
Source: Internal (10.25.50.112:49385)
Destination: Local Host (10.2.2.3:443)
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 10.25.50.112
Now I have googled around and have read many articles basically saying that that TMG is flagging these IP addresses b/c they are on the inside interface and hitting the external interface, so TMG is really doing its job. My question is what can I do at this point? I need to have the internal clients be able to use the external URL for various reasons.
Thank you for your time and help!