Solved

TMG - Internal Clients Access to External OWA URL Flagged as Spoofed.

Posted on 2010-11-20
7
1,678 Views
Last Modified: 2012-06-21
Hello Everyone,
I need a little help or guidance to set me in the right direction.

I am in the middle of installing a Forefront TMG server to be used as an Exchange edge server on a DMZ that is currently behind an ASA. The TMG server currently has 2 nics, one which is the external interface with an IP of 10.2.2.2 and internal interface which apart of the inside network with the IP of 10.25.50.2. OWA is currently published and I am able to get to OWA from the outside world. My problem is the internal clients. When an internal client attempts to access OWA using the external URL of mail.yyy.com the TMG server is flagging the connection as spoofed here is a copy of the log from TMG:

Log type: Firewall service
Status: A packet was dropped because Forefront TMG determined that the source IP address is spoofed.  
Rule: None - see Result Code
Source: Internal (10.25.50.112:49385)
Destination: Local Host (10.2.2.3:443)
Protocol: HTTPS
 Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 10.25.50.112
 
Now I have googled around and have read many articles basically saying that that TMG is flagging these IP addresses b/c they are on the inside interface and hitting the external interface, so TMG is really doing its job.  My question is what can I do at this point? I need to have the internal clients be able to use the external URL for various reasons.

Thank you for your time and help!
-Mike
0
Comment
Question by:BAYCCS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 17

Expert Comment

by:Viral Rathod
ID: 34180698
Have you checked this ?

1) http://www.experts-exchange.com/Microsoft/Windows_Security/Q_26236448.html

2)http://www.experts-exchange.com/Microsoft/Windows_Security/Q_26155950.html
Go to the networking section of ForeFront and add the address or address range to the apropriate adapter which let's say that the IP being blocked is 192.168.0.50 which should be accessible on the internal network network then right click on the internal network, select properties and click on add range and add 192.168.0.50 for the beginning ip and the ending IP then hit ok twice

3) http://blogs.technet.com/b/isablog/archive/2010/08/18/understanding-a-scenario-where-tmg-drops-the-packet-as-spoofed-even-when-the-source-ip-doesn-t-belong-to-the-internal-network.aspx
0
 
LVL 5

Author Comment

by:BAYCCS
ID: 34180752
Hello and thank you for your response.

Right now I have the Internal adapter set with the entire 10.25.50.0 to 10.25.50.255 range set. If I remove the entire range and say only add the Exchange which is 10.25.50.10 and also the Internal TMG nic which is 10.25.50.2 I still am getting the spoofing error from a client that has an IP of 10.25.50.105 attempt to get OWA.

I am really pulling my teeth hair out on this one.
0
 
LVL 17

Expert Comment

by:Viral Rathod
ID: 34181168
I guess you should be configured all IP address ranges for the Internal network ,If you are installing Forefront TMG on a computer with a single network adapter

http://technet.microsoft.com/en-us/library/ee191505.aspx
0
Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

 
LVL 17

Expert Comment

by:Viral Rathod
ID: 34181215
No, you need to add the Range of Local Computer ,It will not work by adding single IP Address of Exchange Server OR Internal TMG nic

http://technet.microsoft.com/en-us/library/cc995047.aspx


0
 
LVL 5

Author Comment

by:BAYCCS
ID: 34183420
Yes, I have added the entire range to the internal nic. It was just a test to see if that would work by only adding the Exchange and TMG.

I currently have 2 nics in the machine, 1 internal and 1 external.

Again, thank you for your help and time.
0
 
LVL 5

Accepted Solution

by:
BAYCCS earned 0 total points
ID: 34183462
I had a thought and I have come up with a workaround that seems to work.

I setup another subnet on my inside interface of my router. So basically I have to internal subnets 10.25.50.1/24 and 10.25.60.1/24.

I added a workstation to the new .60 subnet and tested connection between the two subnets internally without any problems. I opened up TMG and watched the log and once I attempt to go to mail.xxx.com the connection was no longer spoofed and TMG allowed the connection, so internal clients can now access the external URL. The only thing I will have to do it move all my workstations/clients/wireless devices to the new subnet and leave the servers on the .50.

So basically If I don’t come up with another solution this will have to be it unless I can get the original .50 subnet to not be spoofed.
0
 
LVL 5

Author Closing Comment

by:BAYCCS
ID: 34613346
I found my own solution
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
In-place Upgrading Dirsync to Azure AD Connect
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question