• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Forward original client IP to published server?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Threat Management Gateway (TMG) 2010] >> General >> Forward original client IP to published server? Page: [1]
Login
Message << Older Topic   Newer Topic >>
Forward original client IP to published server? - 12.Jan.2011 4:49:17 PM   
dkraut1

 

Posts: 13
Joined: 7.May2010
Status: offline
We have a published server (service) that requires the original client IP address to be forwarded through ISA/TMG, not the IP address of TMG. It's locking the service account since every access attempt appears to come from the same IP address (TMG). I know this sounds simple, just check the box "Requests appear to come from original client", but what if the published server uses a default gateway other than TMG? We use TMG to publish internal web servers, but use a different path to access the Internet so I'll end up with an asymmetric routing mess if I do that. And if I change the default gateway on the published server to point to TMG, that will break its access to other necessary internal services (DB Server, RDP, etc.).

Any ideas on how this can be resolved?

< Message edited by dkraut1 -- 12.Jan.2011 4:50:42 PM >
Post #: 1
RE: Forward original client IP to published server? - 12.Jan.2011 8:22:52 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Can you not change its DG and then add static routes for access to other known internal hosts/networks?

If you have a large network, you might be able to create route summaries to make the static routes simpler...

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to dkraut1)
Post #: 2
RE: Forward original client IP to published server? - 12.Jan.2011 10:04:22 PM   
dkraut1

 

Posts: 13
Joined: 7.May2010
Status: offline
That idea actually occurred to me JJ. I'll give that a try tomorrow.

Thanks!

(in reply to Jason Jones)
Post #: 3
RE: Forward original client IP to published server? - 13.Jan.2011 2:02:58 PM   
dkraut1

 

Posts: 13
Joined: 7.May2010
Status: offline
So we got this working... Although I think the static routes would have worked just fine, we decided to use the second NIC that was already installed in the published server. After connecting the second NIC to the switch, we setup the second NIC so that the default gateway pointed back to the primary internal VIP of TMG and left the primary NIC with our standard default gateway address. I then made sure the first NIC was set as primary in the binding order. I then changed the Firewall policy "To" Tab so that it pointed to the second NIC IP address and checked the box for "Requests appear to come from the original client". Everything seems to be working fine and the backend server is now seeing the actual client IP addresses.

Cheers!

(in reply to dkraut1)
Post #: 4
RE: Forward original client IP to published server? - 13.Jan.2011 5:26:31 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Cool, nice approach

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to dkraut1)
Post #: 5

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Threat Management Gateway (TMG) 2010] >> General >> Forward original client IP to published server? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts