Question : Back to back ISA/TMG 2010's result in Network Routing Issue

Problem: I am not able to connect from the LAN to the DMZ, through two ISA/TMG servers.

I have a LAN & DMZ network with a Perimeter network in between. A TMG 2010 server is protecting each, such as this:

LAN -->|tmg2010-A|<-- PERIMETER NETWORK -->|tmg2010-B|<-- DMZ1

I'm focusing on RemoteDesktop (RDP) for now, however the problem lies with all traffic which is not being proxied by tmg2010-A.

I can connect through the proxy (tmg2010-A) from LAN to DMZ1

I can RDP from PERIMETER NETWORK to DMZ

I have no Windows servers in the Perimeter network so I can not test RDP from LAN to the Perimeter network, however I can access it successfully using other access rules such as SSH.

I CAN NOT, RDP from LAN to DMZ1. When I attempt this, tmg2010-A, generates the error indicating it can not find the DMZ network. (Reference attached image: tmg2010-Aerror.jpg)

tmg2010-Aerror.jpg (54 KB) (File Type Details) 

Errors on LAN firewall.

I have also attached a screen shot of the active network routes. As you will see, there is route directing the DMZ traffic (172.29.17.0) to the external interface for tmg2010-B (172.29.16.20) In addition to this, the default routers .16.1 & 16.2, both know how to find the .17.0 network, and also, are able to successfully access them.
 

route-print.jpg (84 KB) (File Type Details) 

Active Network Route's on LAN firewall.

I'm aware this is not a very common configuration, but it still should work as it's configured.

As a side note. I have configured a rule on tmg2010-A, permitting my workstation on the LAN, unrestricted outbound access.

Per the attached log error, this clearly appears to be a routing error, and not a firewall access rule error, as, the first hit logged in the screen shot, indicates the configured rule permitting all outbound is being correctly triggered and a connection initiated to the DMZ1 network.

Any thoughts on this?

Answer : Back to back ISA/TMG 2010's result in Network Routing Issue

I found my answer. In short, it is not a supported configuration on ISA/TMG. Because the traffic is coming from a network, which the remote ISA/TMG server is not directly attached to, it drops it it as spoofed. So the only way to route from a network attached to one ISA/TMG to another a network attached to a different ISA/TMG server, (even though a simi-trusted perimeter network, using private IP spaces), is to treat the remote network as External by not defining it in ISA/TMG's networks.

The following is an excerpt from Microsoft TechNet, outlining rules for configuring Networks:
(http://technet.microsoft.com/en-us/library/cc995185.aspx)

"Each network you create must have a dedicated network adapter associated with it. For example, to create a topology that includes the internal corporate network, the Internet, and a perimeter network, three network adapters must be installed and enabled on the Forefront TMG computer. There are some exceptions. In a back-to-back firewall configuration, where the Internet is behind a perimeter network, there is no adapter associated with the external network. In addition, a VPN site-to-site network object does not have an adapter associated with it.

All IP addresses that can be reached directly from a network adapter must be defined as part of the Forefront TMG network that is associated with the adapter. All remote subnets must be added correctly to the network definition, and the IP address range of the network must match the routing table. Routes should be defined in the routing table for each remote subnet."

"A packet is considered spoofed (and therefore dropped) if one of the following is true:

The packet contains a source IP address that (according to the routing table) is not reachable through a network adapter associated with the network.

The packet contains a source IP address that does not belong to the address range of a network associated with the adapter."


I'm not at all thrilled, but it looks like that's my answer.