klwn
asked on
Direct Access 2012R2 Two Network Card Configuration Behind TMG 2010
We have a Direct Access 2012R2 Server configured with 2 NICS.
192.168.1.1 (not really) on WAN NIC
172.16.1.1 (not really) on LAN NIC
The public IP for direct access is 80.80.80.80 (not really)
The public IP address is on the firewall. If we NAT the address 80.80.80.80 to 192.168.1.1 for HTTPS and add a rule on the firewall to allow HTTPS to 192.168.1.1 Direct access works fine.
Unfortunately, we are using Direct Access with Windows 10 Ent clients. With the absence of NAP in Windows 10 I need to secure the connection further and want to place the TMG box in the mix.
Our 2010 TMG box straddles the DMZ and LAN. One arm in the DMZ on the 192.168.1.x network and the other arm in the 172.16.1.x LAN network.
I am struggling to create a non webserver publishing rule that will see the natted traffic (192.168.1.1).
I have an IP address on the DMZ arm of the TMG box configured with IP address 192.168.1.2. I though I could change the NAT rule on the firewall to point to the TMG DMZ IP address (192.168.1.2) instead of the Direct Access box IP address in the DMZ 192.168.1.1.
Alas I cannot work out how I would put my non webserver publishing rule to achieve this.
Can anyone help?
192.168.1.1 (not really) on WAN NIC
172.16.1.1 (not really) on LAN NIC
The public IP for direct access is 80.80.80.80 (not really)
The public IP address is on the firewall. If we NAT the address 80.80.80.80 to 192.168.1.1 for HTTPS and add a rule on the firewall to allow HTTPS to 192.168.1.1 Direct access works fine.
Unfortunately, we are using Direct Access with Windows 10 Ent clients. With the absence of NAP in Windows 10 I need to secure the connection further and want to place the TMG box in the mix.
Our 2010 TMG box straddles the DMZ and LAN. One arm in the DMZ on the 192.168.1.x network and the other arm in the 172.16.1.x LAN network.
I am struggling to create a non webserver publishing rule that will see the natted traffic (192.168.1.1).
I have an IP address on the DMZ arm of the TMG box configured with IP address 192.168.1.2. I though I could change the NAT rule on the firewall to point to the TMG DMZ IP address (192.168.1.2) instead of the Direct Access box IP address in the DMZ 192.168.1.1.
Alas I cannot work out how I would put my non webserver publishing rule to achieve this.
Can anyone help?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sorry for the delay. We ended up publishing the second NIC direct to the firewall and bypassed TMG. We could never figure out why the problem was occurring...double natting was getting messy Steve I agree :)
ASKER