Running TMG Beta 3, configured as a 3-leg perimeter with the perimeter maintaining public addresses. I have a 28-bit CIDR block that I've split in two so one subnet occupies the main adapter connected to the Internet and the other addresses exist on the perimeter network with a 29-bit mask.
I also have a PPPoE connection to get the DSL online. All of my access rules allowing outbound access via SecureNAT are working as expected from the Internal network (haven't connected a Firewall client yet) however none of my published inbound rules are working and are all failing with a reference to the default rule, which exists as I had configured the "deny everything" rule during initial installation. I'm quite sure the routing of the traffic to the correct interface is working as I clearly see the denies logged. Ignore the perimeter network while looking at this. My failures are with publishing a rule, such as allowing RDP to redirect to an internal, privately addressed system by configuring the rule to listen on one of the bound addresses on the external network. This fails. I also have a rule that allows for OWA. I exported the cert and the private key from the OWA server, configured the listener IAW documentation on this site (which is very good by the way) and published yet I get denied connections referencing the default rule. I have the same rule on an ISA 2006 server that works just fine however it is configured as a single edge firewall and PPPoE is not part of that mix.
Configuration is a Windows 2008 x64 Enterprise Server with TMG Beta 3 Standard.
PPPoE Connection connects fine and is configured per Microsoft documentation in the Networks area of TMG's management console. It is designed to be the gateway for my 28-bit block. So when this connection is made, the details show me my gateway address as a "client address" and another IP at my provider's location is listed as the "server address". This sounds correct to me. Also, the PPPoE is configured to "act as the gateway" on the server so none of the wired adapters have a gateway listed in the IP properties.
Adapter 2 6 addresses bound on live Internet and connected directly to modem > External Mask: 255.255.255.248
Adapter 3 1 live Internet address bound in 2nd subnet and connected to dedicated switch > Perimeter Mask: 255.255.255.248
My route table shows 0.0.0.0 going to the PPPoE adapter with a metric of 1 and all other routes appear to be correct.
The publishing rules failing are specifically NAT translation rules as mentioned above.
If I walked through the wizard during setup and answered all questions correctly, I'm assuming TMG factored in my network setup as I had explained it here as I believe there is a route between the external and perimeter networks since the addressing is all public.
Where else could I look to see why the publishing rules would be ignored? Any help is greatly appreciated.
OK...I guess I should have read some of Tom's posts from a few months ago.
Rule of thumb, avoid dialing PPPoE from the ISA server. Unless you are using for web caching/outbound connectivity only, forget it. The need to publish resources on the internal network via reverse proxy, etc. will not work.
What I did to fix my situation. I took Tom's advice and removed the bridge mode from my ActionTec Q1000 modem and put the PPPoE back on the modem itself. Then I bound the gateway address of my 28-bit public address block to the LAN interface on the modem. Obviously I turned on all necessary security to protect the modem. Even though this modem has a 4 port switch on it, I simply plugged the external interface of my ISA server into the modem and bound my public IP's to the external interface referencing the LAN interface IP of the modem as my default gateway on the ISA external interface. Traffic now flows both ways without issues.
The only remaining snag I have is routing to the perimeter network. I have listed the subnet mask as 28 bits on the modem to get the entire block to flow upstream to me however I wanted to establish two separate 29-bit networks on the ISA server. One would be directly bound to the external interface and would be used for publishing rules via NAT/reverse proxy and the other network assigned to my perimeter network.
When I set up the 3-leg perimeter via the TMG wizard, I indicated I wanted the perimeter network to maintain public addresses so I'm assuming TMG sets up a route scenario in that case.
Can someone point me in the right direction to make sure I have the right addresses, subnet masks and routes in place for this to work? I'll be happy to provide IP's in a PM if the solution is straight forward. I think the PPPoE scenario fried my brain for the week thus far.