Solved

TMG - Internal Clients Access to External OWA URL Flagged as Spoofed.

Posted on 2010-11-20
7
1,665 Views
Last Modified: 2012-06-21
Hello Everyone,
I need a little help or guidance to set me in the right direction.

I am in the middle of installing a Forefront TMG server to be used as an Exchange edge server on a DMZ that is currently behind an ASA. The TMG server currently has 2 nics, one which is the external interface with an IP of 10.2.2.2 and internal interface which apart of the inside network with the IP of 10.25.50.2. OWA is currently published and I am able to get to OWA from the outside world. My problem is the internal clients. When an internal client attempts to access OWA using the external URL of mail.yyy.com the TMG server is flagging the connection as spoofed here is a copy of the log from TMG:

Log type: Firewall service
Status: A packet was dropped because Forefront TMG determined that the source IP address is spoofed.  
Rule: None - see Result Code
Source: Internal (10.25.50.112:49385)
Destination: Local Host (10.2.2.3:443)
Protocol: HTTPS
 Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 10.25.50.112
 
Now I have googled around and have read many articles basically saying that that TMG is flagging these IP addresses b/c they are on the inside interface and hitting the external interface, so TMG is really doing its job.  My question is what can I do at this point? I need to have the internal clients be able to use the external URL for various reasons.

Thank you for your time and help!
-Mike
0
Comment
Question by:BAYCCS
  • 4
  • 3
7 Comments
 
LVL 16

Expert Comment

by:Viral Rathod
ID: 34180698
Have you checked this ?

1) http://www.experts-exchange.com/Microsoft/Windows_Security/Q_26236448.html

2)http://www.experts-exchange.com/Microsoft/Windows_Security/Q_26155950.html
Go to the networking section of ForeFront and add the address or address range to the apropriate adapter which let's say that the IP being blocked is 192.168.0.50 which should be accessible on the internal network network then right click on the internal network, select properties and click on add range and add 192.168.0.50 for the beginning ip and the ending IP then hit ok twice

3) http://blogs.technet.com/b/isablog/archive/2010/08/18/understanding-a-scenario-where-tmg-drops-the-packet-as-spoofed-even-when-the-source-ip-doesn-t-belong-to-the-internal-network.aspx
0
 
LVL 5

Author Comment

by:BAYCCS
ID: 34180752
Hello and thank you for your response.

Right now I have the Internal adapter set with the entire 10.25.50.0 to 10.25.50.255 range set. If I remove the entire range and say only add the Exchange which is 10.25.50.10 and also the Internal TMG nic which is 10.25.50.2 I still am getting the spoofing error from a client that has an IP of 10.25.50.105 attempt to get OWA.

I am really pulling my teeth hair out on this one.
0
 
LVL 16

Expert Comment

by:Viral Rathod
ID: 34181168
I guess you should be configured all IP address ranges for the Internal network ,If you are installing Forefront TMG on a computer with a single network adapter

http://technet.microsoft.com/en-us/library/ee191505.aspx
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 16

Expert Comment

by:Viral Rathod
ID: 34181215
No, you need to add the Range of Local Computer ,It will not work by adding single IP Address of Exchange Server OR Internal TMG nic

http://technet.microsoft.com/en-us/library/cc995047.aspx


0
 
LVL 5

Author Comment

by:BAYCCS
ID: 34183420
Yes, I have added the entire range to the internal nic. It was just a test to see if that would work by only adding the Exchange and TMG.

I currently have 2 nics in the machine, 1 internal and 1 external.

Again, thank you for your help and time.
0
 
LVL 5

Accepted Solution

by:
BAYCCS earned 0 total points
ID: 34183462
I had a thought and I have come up with a workaround that seems to work.

I setup another subnet on my inside interface of my router. So basically I have to internal subnets 10.25.50.1/24 and 10.25.60.1/24.

I added a workstation to the new .60 subnet and tested connection between the two subnets internally without any problems. I opened up TMG and watched the log and once I attempt to go to mail.xxx.com the connection was no longer spoofed and TMG allowed the connection, so internal clients can now access the external URL. The only thing I will have to do it move all my workstations/clients/wireless devices to the new subnet and leave the servers on the .50.

So basically If I don’t come up with another solution this will have to be it unless I can get the original .50 subnet to not be spoofed.
0
 
LVL 5

Author Closing Comment

by:BAYCCS
ID: 34613346
I found my own solution
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now