17 May 2011

TMG non web server protocol does not work with a perimeter network present

This is a summary form a case that myself and AJ were looking at.  I was not able to assist him till completion but the findings they discovered might be very useful to publish, and he has graciously allowed me to publish his findings.

The network layout.

External Network - TMG - Perimeter Network - FTP perimeter IP

The problem symptoms

When attempting to connect to his published FTP server from the external network his connections got dropped.  Checking the TMG logs he found the following

Denied Connection TMGServer 4/14/20xx 10:26:28 PM
Log type: Firewall service
Status: The policy rules do not allow the user request.
Rule: Default rule
Source: Perimeter (xxx.xx.xxx.xx:2801)
Destination: Local Host (xxx.xx.xx.xx:21)
Protocol: FTP

The FTP server was accessible via the internal network.  The TMG localhost could also connect to the FTP via the perimeter network, but no connection from the external network made it through.

We went through a number of basic checks but were stumped because he a some web site published in the same manner as he was attempting to publish the ftp site.

At this point I was heading offshore on holiday - with no internet access.

The Resolution
AJ managed to get a resolution for the problem from Microsoft directly.  Here is his findings

"We had Perimeter Network on our TMG 2010 server. Non-web Server protocol publishing rules will not work on a Forefront 2010 TMG that was configured as a Back Firewall unless the Perimeter Network is removed.  So, we took the following steps to correct our problem:
  1. On the Network Rules tab in Networking, we removed Perimeter Network rules (we had two rules - rule 4 and 5 listed as Perimeter Network Rules. At first, we were unable to remove rule 5 rules because it was attached with the existing policy. So we had to take step 2 and 3) and keep External (Built in network.) Network Rule
  2. We edited the system policy from the Tasks tab on the Firewall Policy page by selecting DHCP under Network Services, select the From tab and removed the Perimeter traffic source
  3. We removed the last Perimeter network under the Networks tab in Networking
  4. We reconfigured all our web servers (as they were configured for Perimeter Network Rules as well)
I configured the Non-web Server Protocol Publishing FTP rule on my TMG. I opened FTP client and tried accessing FTP server, it worked without any issues.  "

1 comment:

Anonymous said...


Post a Comment