Hi Guys,I have an strange Issue where TMG 2010 Latest Updates Installed as a 3-Leg Firewall. Everything is working good except many attacks i have on my DMZ Public IP Range. TMG DMZ range consist of a /26 Valid Range and is accessible from internet by Route Relationship. I just tested these Valid IP Addresses from Internet and every port from 1-65535 is open to internet. however because the other Party (a Host in DMZ) don't answer to the Port telnet TMG Logs showing a Connection RST. but this is making our Edge Firewall a suitable Host for Attacks since attackers or bots can see all ports are open and answering on fist try...is this okay? isn't this a problem with TMG DMZ Range...

if i remove All Protocol Access from External to DMZ problems going away and only ports that are really open on DMZ Hosts get a successfull telnet....how can i fix this issue ?

First question would be, how is your rule-set configured?

Now, are you actually able to setup a TCP connection on all ports? Does the traffic from the Internet on (random port) actually reach the DMZ? TMG will reset the connection if it doesn't allow it and log it accordingly.

If you expect that TMG should drop it silently without logging, then that will not happen...

Rule-Set is configured to allow all traffics from External to Perimeter Range and is not a good Idea,but my business requires that.

but why TMG Listens and doesn't drop the request on ports that are not actually open on perimeter host ?

isn't there any workaround for this

Hi,

If you have configured TMG  to allow all traffic, then that is what it will do. If you have configured TMG to allow all traffic (meaning all traffic matching a protocol definition in TMG) to the entire DMZ subnet, there's no way you can expect TMG to check if there's someone home on the target ip:port the traffic is destined for. It will allow the traffic as per your rules. Maybe there are other firewall software that does this (not aware of any) but the performance hit doing would be huge with this configuration.

What you have done is that you have configured to act as a router between Internet and DMZ with some filtering capabilities.

The only way to rectify this behavior is to actually create a ruleset that allows only the traffic to the hosts that exists on the DMZ on the protocols used.

but why tmg listens on a port that is not open on DMZ Range ?

it seems TMG proxy connections and answers to the client and then passes real request to destination Host (DMZ Host). at this moment if port is not open tmg sends a RST response to Client ! 

isn't there any way to change this behavior ?

Ok, so you want TMG to have all ports open through TMG but before it passes traffic TMG should check if the port is open and the host available?

To be superclear:

You cannot change this behavior.

I assume that you are using access rules for this as well which is per TMG design not correct. Inbound traffic - whether to LAN or DMZ should use publishing rules. Acccess rules are for outbound traffic (eventhough they work in your scenario).

TMG is designed to filter traffic based on your ruleset. If the request is allowed, then it will pass the traffic regardless if anyone (on your DMZ) is listening. If there's no host listening on that address:port it will reset the connection. The only time it will monitor if a published server is listening is if you publish a web farm but that will not be on connection time but on a schedule.

You cannot change this. I don't know why you would want to have it this is way but you need to re-think your approach. I don't know of any firewall that would do this in the way  you want.