The Ip Address Specified For Communication Between This Forefront Tmg
From #1 above it looks like you are sending your mail traffic to the firewall. Are you then doing port forwarding to the Barracuda? Unless you have a shortage of public IPs typically you'll create a NAT and send your mail to the public IP of the Barracuda. Have your MX point to the Barracuda and allow incoming mail to the Barracuda's public IP on the firewall. Then the Barracuda will send the mail to the mailbox server. If the cuda and mailbox server are on the same internal network behind the firewall most likely you will not need to open up an port between the cuda and mailbox. You'll just want to make sure you have the Barracuda's IP listed on your receive connector (if using Exchange).
Websense Filtering Service must be installed and running before you install the ISAPI Filter plug-in. Make sure that Forefront TMG integration was specified during Filtering Service installation. On the Filtering Service Communication screen, enter the IP address of the. Integrating Web Security with Microsoft Products Installing Web. 'Description: The IP address specified for communication between this Forefront TMG computer (192.168.10.17) and other array members is not bound to a network adapter installed on this computer.The IP address specified for intra-array communication must be bound to a network adapter installed on the computer.'
I have a TMG 2010 server being used solely in the reverse proxy role (i.e. publishing DMZ web servers via Web Publishing rules such that their individual sites can be made externally accessible).
After a lot of research I'm now confident that I properly understand all of the configuration settings which are present in the rule's 'To' tab, except for one minor detail:
Under 'Proxy requests to published site', 'specify how the firewall proxies requests to the published server' there are two options, it's my understanding that they have the following effect:
If 'Requests appear to come from the the Forefront TMG computer', TMG will replace the 'Source Address' field in the request's IP packet header with it's own IP address.
If 'Requests appear to come from the original client', TMG will leave the 'Source Address' field in the request's IP packet header as is (which depending on the web server's default gateway configuration may or may not cause routing or state-related problems).
The Ip Address Specified For Communication Between This Forefront Tmg Management
My TMG server has multiple IP addresses bound to a single DMZ-facing NIC.
So my question is this - if I leave this setting on default (requests appear to come from TMG), how can I tell/configure which of the IP addresses bound to the TMG server's DMZ-facing NIC will be used in the IP packet header when it's forwarded to the web server?
I know I can look in the web server logs, but I'd like an approach which is more proactive, and ideally some information on how TMG actually decides which to use and if that decision can be influenced in any way, perhaps through TMG's own configuration interface, or even through more 'established' methods such as modifying interface route metrics manually.
Thanks
Tom TregennaTom Tregenna1 Answer
I managed to find the answer to this question primarily with the help of this article.
There is a feature of TMG called 'Enhanced NAT' which can be used to specify which IP addresses are used for any given route.
In the end I created a new Networking Rule between 'All Networks (including Localhost)' to 'Internal', changed the relation from 'Route' to 'NAT' , and you can then use the 'NAT address Selection' tab to choose between one of the following options:
- Use the default IP address
- Use the specified IP address (dropdown)
- Use multiple IP addresses (selection button)
I have verified in my web server logs that this does in fact appear to work as expected.
Thanks to those who took the time to view this question, I hope it helps someone with a similar issue in the future.
Tom TregennaTom Tregenna