The network layout.
External Network - TMG - Perimeter Network - FTP perimeter IP
The problem symptoms
When attempting to connect to his published FTP server from the external network his connections got dropped. Checking the TMG logs he found the following
Denied Connection TMGServer 4/14/20xx 10:26:28 PM
Log type: Firewall service
Status: The policy rules do not allow the user request.
Rule: Default rule
Source: Perimeter (xxx.xx.xxx.xx:2801)
Destination: Local Host (xxx.xx.xx.xx:21)Protocol: FTP
The FTP server was accessible via the internal network. The TMG localhost could also connect to the FTP via the perimeter network, but no connection from the external network made it through.
We went through a number of basic checks but were stumped because he a some web site published in the same manner as he was attempting to publish the ftp site.
At this point I was heading offshore on holiday - with no internet access.
AJ managed to get a resolution for the problem from Microsoft directly. Here is his findings
"We had Perimeter Network on our TMG 2010 server. Non-web Server protocol publishing rules will not work on a Forefront 2010 TMG that was configured as a Back Firewall unless the Perimeter Network is removed. So, we took the following steps to correct our problem:
- On the Network Rules tab in Networking, we removed Perimeter Network rules (we had two rules - rule 4 and 5 listed as Perimeter Network Rules. At first, we were unable to remove rule 5 rules because it was attached with the existing policy. So we had to take step 2 and 3) and keep External (Built in network.) Network Rule
- We edited the system policy from the Tasks tab on the Firewall Policy page by selecting DHCP under Network Services, select the From tab and removed the Perimeter traffic source
- We removed the last Perimeter network under the Networks tab in Networking
- We reconfigured all our web servers (as they were configured for Perimeter Network Rules as well)