TMG 2010 does not proxy back to the same network as the request

microsoft-ftmg-2010

I have an issue where websites that are hosted on a web server (www.example.com) are not accessible from their own network when accessed via its public IP address, but they are accessible from every other network.

This is the network setup:

enter image description here

I have a TMG 2010 SP1 machine behind a router that's managed by someone else (that I have no access to), and behind that router is the internet.

The "external network" router has a 1:1 NAT for IP addresses pointing to corresponding private IP addresses on the TMG box. The TMG Edge then has a web proxy rule that forwards the requests (to www.example.com) to a web server on Network B.

When you try to access www.example.com (that is hosted on Network B) via its public IP address, the following happens:

Internet -  HTTP 200 OK
External -  HTTP 200 OK
Network A - HTTP 200 OK
Network B - Error Code 10060: Connection timeout
Network C - HTTP 200 OK

I see the traffic hit the TMG firewall, but then it seems to get lost. It does not forward the packet to the external network (which, if it did, it would send straight back). Wireshark shows the packet coming in on the Network B interface, but it never leaves the TMG.

After requesting http://www.example.com/ The TMG firewall log shows an initial permitted outbound request, followed 60 seconds later by:

Failed Connection Attempt

Source Network: Network B

Destination Network: External

URL: http://203.206.238.xxx (the public IP address, not the URL I
actually requested)

Status: 10060 A connection attempt failed because the connected party
did not properly respond after a period of time, or established
connection failed because connected host has failed to respond.

I have no idea where the problem lies. I don't know if it's because for some reason it's proxying the public IP address as the URL (there is proxy rules for the IP address, only for FQDNs), or if it's something completely else.

Best Answer

I'm pretty sure this has to do with the way TMG is designed. According to:

http://technet.microsoft.com/en-us/library/cc995133.aspx

Bypassing Forefront TMG for firewall client requests

Microsoft Forefront Threat Management Gateway is designed to handle communications between different networks. Usually, clients on a specific network should not traverse Forefront TMG to reach hosts located in the same network. Instead, direct access should be used.

Direct access enables Firewall client computers to do the following: Bypass the Microsoft Firewall Client configuration and connect directly to resources. Make Web proxy requests that bypass the Web proxy filter.

This allows Firewall clients to access resources located in their local network without going through Forefront TMG and allows clients to make Web requests without going through Forefront TMG as a proxy.

This also covers significant limitations of TMG in a 'single adapter setup' which is similar to how B would connect to the web server:

http://technet.microsoft.com/en-us/library/cc995236.aspx

Best Answer

Related Solutions

General Forefront TMG 2010 network / proxy configuration

How to diagnose severe network problems in small network

Related Topic