Hi Fellas:

I have two TMG's in a NLB array and I'm trying to connect a published web server from the DMZ to an internal SQL Server on the LAN.

I can connect to the web server externally np.

I can test-ping the web server from either TMG np, however I cannot ping anything from the DMZ web server the other way.  The server is able to connect to Windoze Update np.

I have already added a route to use the gateway of the DMZ (eg:  route add 172.18.0.0 MASK 255.255.255.0 192.168.125.1).

Where have a gone wrong?

Thanks!

Hi,

is there a TMG network rule with ROUTE relationship in place between the DMZ network and the INTERNAL network?

No and further reading leads me to believe that there is supposed to be one automagically created during setup?

Perhaps that is my issue?

I did have a rule that is specific to the web server being able to talk to the sql server that did not work.

I tried creating a DMZ to Internal route and its not working either.

Thanks

Ok I'm getting farther.

I had to set my Default Gateway to my DMZ NLB IP and also create a static route on the Web Server.

I'm now seeing traffic in my TMG logs but I cannot get a SQL custom port to work.

What should I open for SQL other than the custom port # to enable two-way ODBC?

Thanks

As Mark pointed out earlier you need to make sure that, under Networking, that the relationship between the DMZ network and the Internal network is a Route relationship and not a NAT relationship. 

Once that is done you will need to create an Access rule that allows whatever protocol it is that you want to allow between the two. Put Internal and DMZ networks on BOTH your Source and Destination tabs in the access rule. 

I double checked and the route relationship is there.

I checked my Access Rule and I didn't have both source and destination on both sides of the rule.  I added that and decided to try ICMP instead of SQL for simplicity.

I can see the ICMP in the TMG live log however it still fails.

Is it failing because the host on the LAN is using the Cisco default gateway and getting lost trying to come-back to the DMZ?

Hi,

Additionally, you can re-check your configuration like this:

1. Route relationship between internal and DMZ

2. An Access rule allow the traffic from DMZ to internal(eg, allow icmp from DMZ to internal)

3. Double check the rule configured above has a higher priority in your rule list

4. For DMZ client, web server is an internal web server, so if you would like to access it, you need to access IP or intenal domain name rather than external domain name

5. if your test using ICMP is still failed, you need to caputre the packets on your web server to see if the packest can reach the web server.

6. Meanwhile, you need to check the TMG live logg to see which rule is blocking your traffic.

Best Regards

Quan Gu

Is it being Denied or is it Failing? Is there a reason code in Live Logging?

Set up Netmon 3.4 and capture on all interfaces. Is it ever making it out of your DMZ interface? Is it possible that something upstream from TMG is blocking it and/or not returning it?

Hi,

Additionally, you can re-check your configuration like this:

1. Route relationship between internal and DMZ

check

2. An Access rule allow the traffic from DMZ to internal(eg, allow icmp from DMZ to internal)

check

3. Double check the rule configured above has a higher priority in your rule list

#2

4. For DMZ client, web server is an internal web server, so if you would like to access it, you need to access IP or intenal domain name rather than external domain name

understood

5. if your test using ICMP is still failed, you need to caputre the packets on your web server to see if the packest can reach the web server.

I think they get as far as TMG then the default rule is still blocking:

6. Meanwhile, you need to check the TMG live logg to see which rule is blocking your traffic.

Says Default Rule as if the allow rule does not do anything

Weird part is I see slightly different symptoms when I ping from the DMZ to the LAN vs LAN to the DMZ:

Best Regards

Quan Gu

• Edited by Gyp Joe Tuesday, January 07, 2014 4:02 PM screenshots nfg

After I clued into the fact that I needed a route setup on the DMZ WebServer to the NLB DMZ IP and another route setup on the LAN Server to the NLB LAN nic I can see the traffic trying to get thru TMG.

However, it seems to get from the DMZ to the LAN but its being blocked by the default rule on the way back I think as there is a denied event in the log even though I have the ICMP rule setup.

If it is falling down to default rule then it is probably not matching any of your current rules. Are you sure you have an Access rule that allows ICMP and has both networks (Internal and DMZ) in both the Source and Destination tabs?

Update:

I think I finally got this thing beat as SQL traffic is flowing now!

• create access rule to allow SQL from internal/perimeter to internal/perimeter hosts
• add route from perimeter to lan on DMZ NLB nic on webserver
• add route from lan to perimeter on LAN NLB nic on the sql server
• Bob's your uncle!

Thanks for your help fellas!