Question : Forefront TMG source IP address spoofed issue

I am installing 2 TMG servers in an array.  I am attempting the same basic function as my 4 year old ISA 2006 array.  They are to be used for publishing internal web sites to the DMZ and hence to the Intenet. They sit behind the edge firewall and hence connect to the DMZ.  I am testing a web publishing rule.

TMG rejects the connection because it detects the source as spoofed. I have read several articles in various places and tried to ensure the addres range for the source packets is in the DMZ network.  The error message is:

Denied Connection GCSTMG02 6/4/2010 10:25:30 AM
Log type: Firewall service
Status: A packet was dropped because Forefront TMG determined that the source IP address is spoofed.  
Rule: None - see Result Code
Source: DMZ (72.159.133.201:3648)
Destination: Local Host (192.168.100.140:80)
Protocol: HTTP

The route table from one TMG is attached.

route.txt (3 KB) (File Type Details) 

TMG host route table

route.txt (3 KB) (File Type Details) 

TMG host route table

Answer : Forefront TMG source IP address spoofed issue

The detailed TMG logs were very helpful coupled with a technet article.  The config error's in the log were:

Description: The routing table for the network adapter DMZ includes IP address ranges that are not defined in the array-level network DMZ, to which it is bound. As a result, packets arriving at this network adapter from the IP address ranges listed below or sent to these IP address ranges via this network adapter will be dropped as spoofed. To resolve this issue, add the missing IP address ranges to the array network.
The following IP address ranges will be dropped as spoofed:
Internal:10.207.0.0-10.207.255.255,192.168.101.0-192.168.251.255,192.168.252.8-192.168.252.254,192.168.253.0-223.255.255.255,240.0.0.0-255.255.255.254;

The network "Internal" does not correlate with the network adapters that belong to it.
Ranges in adapter "Heartbeat" that do not belong to network "Internal": 10.207.0.0-10.207.255.255,192.168.101.0-192.168.251.255,192.168.252.8-223.255.255.255,240.0.0.0-255.255.255.254;
When networks are configured correctly, the IP address ranges included in each array-level network must include all IP addresses that are routable through its network adapters according to their routing tables. Otherwise valid packets may be dropped as spoofed.
Note that this event may be generated once after you add a route, create a remote site network, or configure Network Load Balancing and may be safely ignored if it does not re-occur.


The network "Internal" does not correlate with the network adapters that belong to it.
Ranges in adapter "Private" that do not belong to network "Internal": 10.207.0.0-10.207.255.255,192.168.101.0-192.168.251.255,192.168.252.8-223.255.255.255,240.0.0.0-255.255.255.254;
When networks are configured correctly, the IP address ranges included in each array-level network must include all IP addresses that are routable through its network adapters according to their routing tables. Otherwise valid packets may be dropped as spoofed.
Note that this event may be generated once after you add a route, create a remote site network, or configure Network Load Balancing and may be safely ignored if it does not re-occur.

The above with http://technet.microsoft.com/en-us/library/cc995185.aspx
Then I was able to manually adjust the addresses in the networks and interfaces so that TMG was not blocking as spoofed packets that should have been allowed.

Hope this helps.