We have a published server (service) that requires the original client IP address to be forwarded through ISA/TMG, not the IP address of TMG. It's locking the service account since every access attempt appears to come from the same IP address (TMG). I know this sounds simple, just check the box "Requests appear to come from original client", but what if the published server uses a default gateway other than TMG? We use TMG to publish internal web servers, but use a different path to access the Internet so I'll end up with an asymmetric routing mess if I do that. And if I change the default gateway on the published server to point to TMG, that will break its access to other necessary internal services (DB Server, RDP, etc.).
Any ideas on how this can be resolved?
< Message edited by dkraut1 -- 12.Jan.2011 4:50:42 PM >
So we got this working... Although I think the static routes would have worked just fine, we decided to use the second NIC that was already installed in the published server. After connecting the second NIC to the switch, we setup the second NIC so that the default gateway pointed back to the primary internal VIP of TMG and left the primary NIC with our standard default gateway address. I then made sure the first NIC was set as primary in the binding order. I then changed the Firewall policy "To" Tab so that it pointed to the second NIC IP address and checked the box for "Requests appear to come from the original client". Everything seems to be working fine and the backend server is now seeing the actual client IP addresses.