Greetings, community)
We have a strange situation with our "TMG Servers".
Architecture:
2 Internal (Back-End) TMG servers with 2 NIC each - Internal and Perimeter
2 DMZ (Front-End) TMG servers with 3 NICs each - Perimeter, Provider1, Provider2
2 EMS servers that have 2 Arrays - "DMZ" with two DMZ standalone servers and "Proxy" with two domain internal TMG servers.
Internal TMG servers have enabled NLB on each NIC. So, they are available from Perimeter through their Perimeter-VIP and form Internal through Internal-VIP.
DMZ servers have NLB on their perimeter NICs, and enabled ISP Redundancy. Each external NIC has his own Default gateway.
DMZ servers has persistent route for traffic to internal network through Perimeter-VIP of Internal servers.
So, the problem is strange:
We have some delays for traffic from external networks.
DMZ servers logs have errors with IP address spoofing:
| Denied Connection | DMZ-TMG-02 28.05.2014 13:24:18 |
|---|---|
| Log type:Firewall service | |
| Status: A packet was dropped because Forefront TMG determined that the source IP address is spoofed. | |
| Rule:None - see Result Code | |
| Source: External (62.168.252.106:21972) | |
| Destination:Internal (172.16.0.100:443) <- This is Back-End Servers Perimeter-VIP. | |
Same situation in Internal ARRAY logs:
| Denied Connection | BLK-TMG-02 28.05.2014 13:29:16 |
|---|---|
| Log type:Firewall service | |
| Status: A packet was dropped because Forefront TMG determined that the source IP address is spoofed. | |
| Rule:None - see Result Code | |
| Source:Local Host (172.16.0.102:54152) | |
| Destination:External (93.158.134.11:80) | |
| Protocol: HTTP | |
and| Denied Connection | BLK-TMG-02 28.05.2014 13:45:45 |
|---|---|
| Log type:Firewall service | |
| Status: A packet was dropped because Forefront TMG determined that the source IP address is spoofed. | |
| Rule:None - see Result Code | |
| Source:Local Host (172.16.0.100:443) | |
| Destination:External (213.87.131.98:46125) | |
| Protocol: Skype <- User defined protocol for Skype ACCESS | |
Is it normal or somewhere I did a mistake with configuration?
Internet acces from Internal works good but with annoing delays sometimes:
| Closed Connection | DMZ-TMG-02 28.05.2014 13:52:33 |
|---|---|
| Log type:Firewall service | |
| Status: A connection was rejected because the connection limit specifying the maximum number of connections that can be created for a rule during one second was exceeded. | |
| Source:Internal (172.16.0.101:49934) | |
| Destination:External (66.196.66.157:80) | |
| Protocol: HTTP | |
Flood Mitigation is disabled, but why TMG talking about connection limits?