Traffic Routing from External to Perimeter using TMG 2010 3-Leg Template

GUys i have a TMG Box which has 3 NICs for LAN, Perimeter and External.

LAN IP Range: 172.16.14.0/24

Perimeter Range: Valid Range (First IP has been Set on TMG Perimeter Interface and Servers behind TMG with a Valid Public IP Address have Internet)

External Range: Other Valid Range ( Some Lan resources Published, Like Mail and Web Server)

currently we have an Apache Server in Perimeter Zone with a Public IP Address and Customers can Browse the Website. the problem is when i want to check for Customers IP Addresses Browsed this Web Server by HTTP I just see the Perimeter Address of TMG Box not Real Addresses. but if users try to browse the HTTPS Website in the same Apache Server i can determine which IP Source tried and browsed the WebSite. there seems to be a default rule that is trying to NAT the Traffic from External to Perimeter Network Range. how ever i'v configured TMG BOX using 3-Leg Template and Network Relationship between Perimtere and External Network is Route. i also tried to modify the Perimeter Network Rule to match like this:

From: Perimeter,External

To: Perimeter,External

Network Relationship: Route

-----------

 but yet it's not working and i can only see the IP Address of Perimeter Interface in Apache Server for HTTP Traffics.

i also tried to unbind HTP Filter and defined a custom HTTP Protocol and separate Firewall ruled for that but nothing changed.

any help please?


June 11th, 2015 4:36am

Hi Mohammed,

Indeed a routing rule should deal with this issue. But it also depends on how you have published your website.

  • If you configured an Access Rule from External (Anywhere) to your Web Server; then you have to investigate in the order of the routing rules.
  • If you configured a Secure Web Publishing rule; then you have to look at the properties of the Secure Web Publishing rule. At the destination tab look for a settings "Traffic appears to come from TMG". You need to change this settings to something like "Traffic appears to come from origional client".


I hope this makes more se

Free Windows Admin Tool Kit Click here and download it now
June 11th, 2015 10:57am

Thanks Boudewijn,

the Solution was a bit strange :)

i had to create Network Rule to first Route Traffics from External to DMZ Network, then i had to Create an Access Rule for HTTP Access from External to DMZ with a Custom HTTP Protocol which bypasses HTTP Filter, and right after that a deny rule which drops packet from External to DMZ on Standard HTTP Protocol.

seems only creating an Allow Rule with Custom HTTP does not work properly and we need to Create Deny Rule also.

anyways after years of discontinue of TMG 2010 i have big problems replacing this Awesome box :(

Kind Regards

June 23rd, 2015 11:58am

Thanks Boudewijn,

the Solution was a bit strange :)

i had to create Network Rule to first Route Traffics from External to DMZ Network, then i had to Create an Access Rule for HTTP Access from External to DMZ with a Custom HTTP Protocol which bypasses HTTP Filter, and right after that a deny rule which drops packet from External to DMZ on Standard HTTP Protocol.

seems only creating an Allow Rule with Custom HTTP does not work properly and we need to Create Deny Rule also.

anyways after years of discontinue of TMG 2010 i have big problems replacing this Awesome box :(

Kind Regards

Free Windows Admin Tool Kit Click here and download it now
June 23rd, 2015 3:57pm

Thanks Boudewijn,

the Solution was a bit strange :)

i had to create Network Rule to first Route Traffics from External to DMZ Network, then i had to Create an Access Rule for HTTP Access from External to DMZ with a Custom HTTP Protocol which bypasses HTTP Filter, and right after that a deny rule which drops packet from External to DMZ on Standard HTTP Protocol.

seems only creating an Allow Rule with Custom HTTP does not work properly and we need to Create Deny Rule also.

anyways after years of discontinue of TMG 2010 i have big problems replacing this Awesome box :(

Kind Regards

June 23rd, 2015 3:57pm

Thanks Boudewijn,

the Solution was a bit strange :)

i had to create Network Rule to first Route Traffics from External to DMZ Network, then i had to Create an Access Rule for HTTP Access from External to DMZ with a Custom HTTP Protocol which bypasses HTTP Filter, and right after that a deny rule which drops packet from External to DMZ on Standard HTTP Protocol.

seems only creating an Allow Rule with Custom HTTP does not work properly and we need to Create Deny Rule also.

anyways after years of discontinue of TMG 2010 i have big problems replacing this Awesome box :(

Kind Regards

Free Windows Admin Tool Kit Click here and download it now
June 23rd, 2015 3:57pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics