Home > Forefront TMG 2010 > Using Non-Web Server Publishing rules with a route relationship on Forefront TMG

Using Non-Web Server Publishing rules with a route relationship on Forefront TMG


If you read my articles about installing and configuring Forefront TMG Back to Back solutions (here and here) you might have wondered why I did not configure a publishing rule that points to the backend exchange 2003 server. Instead I created an access rule between the Barracuda and the backend exchange 2003 server. Normally you will allways use access rules if there is a route relationship between te networks and publishing rules if there is a NAT relationship. Its one of the TMG’s best kept secrets that you can actually use publishing rules when using a route relationship between networks. You might wonder why does OWA even work in our scenario without implementing some special things? as you can see we used an Exchange Web Client Access rule. The answer to this is the following:

The Web Listener used for Web publishing will always include the TMG Web Proxy Filter. Because an application proxy mechanism such as the Web Proxy Filter creates a completely new connection between TMG and the published server, and because the default for Web Publishing rules is to “Use the ISA computer IP address” when creating these connection. Thus, TMG appears to perform NAT on the traffic between the client and server, because it creates sockets for its configured IP Addresses even if there is a route relationship between the networks.

So it actually uses a NAT relationship between the client and the server. Thats why it works out of the box.
Back to our problem. Regarding the Barracuda: By default you only have the option to deliver mail to a specific IP Address and it does not know the route to the backend exchange server because you cannot create static rules by default. So we want to deliver mail traffic to 10.6.0.2 (secondary interface of the TMG-BE).Lets create the publishing rule on the TMG-BE:

Rule Name: Publish mail traffic from Barracuda to Exchange 2003 Backend (choose non-web publishing rule)
Rule number : place on top
Rule Action : Allow
Protocols : SMTP Custom port 25 inbound
From : Barracuda
To : Exchange 2003 Back-End (10.4.30.30)
Network Listener IP Address : Perimeter Interface  IP : 10.6.0.2
User Sets : All Users
Make sure you enable : requests appear from original client

Well if you look at the TMG firewall log you will see its not working at all:

mmm… that seems weird. Lets check if the TMG is actually listening on port 25 on the 10.6.0.2 ip address:

Doesn’t seem that way because it returns nothing. Lets check with netsh tmg command set (replacement for ISA’s fwengmon command):

Nope nothing there as well. As said before the TMG firewall will not listen on a specific IP with port 25 if there is a route relationship bewtween the networks. Solution: We need to create a NAT relationship between the Barracuda and the exchange 2003 backend.

Goto the Forefront TMG – Networking – Network Rules tab
Create a new network rules called Exchange backend to perimeter
Source network : Exchange backend
Destination network : Perimeter
Relationship : NAT
Rule order: place above internal to perimeter route rule

Important : Disable en enable your publishing rule (created above) otherwise it will not work !! Lets take a look at the logging again:

and if the listener is working now:

Yep.. it seems that everything is working now.

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: