[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

TMG - Internal Clients Access to External OWA URL Flagged as Spoofed.

Posted on 2010-11-20
7
Medium Priority
?
1,694 Views
Last Modified: 2012-06-21
Hello Everyone,
I need a little help or guidance to set me in the right direction.

I am in the middle of installing a Forefront TMG server to be used as an Exchange edge server on a DMZ that is currently behind an ASA. The TMG server currently has 2 nics, one which is the external interface with an IP of 10.2.2.2 and internal interface which apart of the inside network with the IP of 10.25.50.2. OWA is currently published and I am able to get to OWA from the outside world. My problem is the internal clients. When an internal client attempts to access OWA using the external URL of mail.yyy.com the TMG server is flagging the connection as spoofed here is a copy of the log from TMG:

Log type: Firewall service
Status: A packet was dropped because Forefront TMG determined that the source IP address is spoofed.  
Rule: None - see Result Code
Source: Internal (10.25.50.112:49385)
Destination: Local Host (10.2.2.3:443)
Protocol: HTTPS
 Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 10.25.50.112
 
Now I have googled around and have read many articles basically saying that that TMG is flagging these IP addresses b/c they are on the inside interface and hitting the external interface, so TMG is really doing its job.  My question is what can I do at this point? I need to have the internal clients be able to use the external URL for various reasons.

Thank you for your time and help!
-Mike
0
Comment
Question by:BAYCCS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 17

Expert Comment

by:Viral Rathod
ID: 34180698
Have you checked this ?

1) http://www.experts-exchange.com/Microsoft/Windows_Security/Q_26236448.html

2)http://www.experts-exchange.com/Microsoft/Windows_Security/Q_26155950.html
Go to the networking section of ForeFront and add the address or address range to the apropriate adapter which let's say that the IP being blocked is 192.168.0.50 which should be accessible on the internal network network then right click on the internal network, select properties and click on add range and add 192.168.0.50 for the beginning ip and the ending IP then hit ok twice

3) http://blogs.technet.com/b/isablog/archive/2010/08/18/understanding-a-scenario-where-tmg-drops-the-packet-as-spoofed-even-when-the-source-ip-doesn-t-belong-to-the-internal-network.aspx
0
 
LVL 5

Author Comment

by:BAYCCS
ID: 34180752
Hello and thank you for your response.

Right now I have the Internal adapter set with the entire 10.25.50.0 to 10.25.50.255 range set. If I remove the entire range and say only add the Exchange which is 10.25.50.10 and also the Internal TMG nic which is 10.25.50.2 I still am getting the spoofing error from a client that has an IP of 10.25.50.105 attempt to get OWA.

I am really pulling my teeth hair out on this one.
0
 
LVL 17

Expert Comment

by:Viral Rathod
ID: 34181168
I guess you should be configured all IP address ranges for the Internal network ,If you are installing Forefront TMG on a computer with a single network adapter

http://technet.microsoft.com/en-us/library/ee191505.aspx
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 17

Expert Comment

by:Viral Rathod
ID: 34181215
No, you need to add the Range of Local Computer ,It will not work by adding single IP Address of Exchange Server OR Internal TMG nic

http://technet.microsoft.com/en-us/library/cc995047.aspx


0
 
LVL 5

Author Comment

by:BAYCCS
ID: 34183420
Yes, I have added the entire range to the internal nic. It was just a test to see if that would work by only adding the Exchange and TMG.

I currently have 2 nics in the machine, 1 internal and 1 external.

Again, thank you for your help and time.
0
 
LVL 5

Accepted Solution

by:
BAYCCS earned 0 total points
ID: 34183462
I had a thought and I have come up with a workaround that seems to work.

I setup another subnet on my inside interface of my router. So basically I have to internal subnets 10.25.50.1/24 and 10.25.60.1/24.

I added a workstation to the new .60 subnet and tested connection between the two subnets internally without any problems. I opened up TMG and watched the log and once I attempt to go to mail.xxx.com the connection was no longer spoofed and TMG allowed the connection, so internal clients can now access the external URL. The only thing I will have to do it move all my workstations/clients/wireless devices to the new subnet and leave the servers on the .50.

So basically If I don’t come up with another solution this will have to be it unless I can get the original .50 subnet to not be spoofed.
0
 
LVL 5

Author Closing Comment

by:BAYCCS
ID: 34613346
I found my own solution
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One-stop solution for Exchange Administrators to address all MS Exchange Server issues, which is known by the name of Stellar Exchange Toolkit.
The core idea of this article is to make you acquainted with the best way in which you can export Exchange mailbox to PST format.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question