Link to home
Start Free TrialLog in
Avatar of klwn
klwnFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Direct Access 2012R2 Two Network Card Configuration Behind TMG 2010

We have a Direct Access 2012R2 Server configured with 2 NICS.

192.168.1.1 (not really) on WAN NIC
172.16.1.1 (not really) on LAN NIC

The public IP for direct access is 80.80.80.80 (not really)

The public IP address is on the firewall. If we NAT the address 80.80.80.80 to 192.168.1.1 for HTTPS and add a rule on the firewall to allow HTTPS to 192.168.1.1 Direct access works fine.

Unfortunately, we are using Direct Access with Windows 10 Ent clients. With the absence of NAP in Windows 10 I need to secure the connection further and want to place the TMG box in the mix.

Our 2010 TMG box straddles the DMZ and LAN. One arm in the DMZ on the 192.168.1.x network and the other arm in the 172.16.1.x LAN network.

I am struggling to create a non webserver publishing rule that will see the natted traffic (192.168.1.1).

I have an IP address on the DMZ arm of the TMG box configured with IP address 192.168.1.2. I though I could change the NAT rule on the firewall to point to the TMG DMZ IP address (192.168.1.2) instead of the Direct Access box IP address in the DMZ 192.168.1.1.

Alas I cannot work out how I would put my non webserver publishing rule to achieve this.

Can anyone help?
Avatar of klwn
klwn
Flag of United Kingdom of Great Britain and Northern Ireland image

ASKER

I should add that traffic doesnt match the non webserver publishing rule. The rule allows traffic from External to 192.168.1.1 but the log flow shows traffic matching being denied because it doesnt match the rule. The traffic being denied has a destination of 192.168.1.2 (the natted address). Its alsmost Like i need to re-nat the incoming traffic coming into TMG...
ASKER CERTIFIED SOLUTION
Avatar of Steve
Steve
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of klwn

ASKER

Sorry for the delay. We ended up publishing the second NIC direct to the firewall and bypassed TMG. We could never figure out why the problem was occurring...double natting was getting messy Steve I agree :)