Forefront TMG 2010 Spoofing issue preventing connections

Been struggling with IP spoofing issues on our TNG 2010 server.

We have web services published to public IP’s all bound to a NIC called WAN-PUBLIC which then NAT’s to the internal IP’s on the web servers.

In certain scenarios we’re unable gain access to the servers and the ISA logs are full of Spoofing errors such as this:

Log type: Firewall service

Status: A packet was dropped because Forefront TMG determined that the source IP address is spoofed. 

Rule: None - see Result Code

Source: Local Host (213.122.169.54:18816)

Destination: Internal (192.168.9.130:443)

Protocol: HTTPS

The source host in this scenario is an IIS server / NLB using ARR so it’s almost acting like a reverse proxy.

Below is the relevant public IP’s bound to the WAN Nic and as you can see it has a default gateway set of un upstream ISP router.

Ethernet adapter WAN-PUBLIC:

   Connection-specific DNS Suffix  . :

   IPv4 Address. . . . . . . . . . . : 213.122.169.50

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   IPv4 Address. . . . . . . . . . . : 213.122.169.51

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   IPv4 Address. . . . . . . . . . . : 213.122.169.52

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   IPv4 Address. . . . . . . . . . . : 213.122.169.53

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   IPv4 Address. . . . . . . . . . . : 213.122.169.54

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   IPv4 Address. . . . . . . . . . . : 213.122.169.55

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   IPv4 Address. . . . . . . . . . . : 213.122.169.56

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   IPv4 Address. . . . . . . . . . . : 213.122.169.57

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   IPv4 Address. . . . . . . . . . . : 213.122.169.58

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   IPv4 Address. . . . . . . . . . . : 213.122.169.59

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . : 213.122.169.49

Below is the internal NIC of the ISA server (no gateway set)

Ethernet adapter LAN-PRIVATE:

   IPv4 Address. . . . . . . . . . . : 192.168.0.1

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . :

So the rule above that’s failing is on a 192.168.9.x network, this network has a manual route defined that’s an internal core switch.

IPv4 Route Table

===========================================================================

Active Routes:

Network Destination        Netmask          Gateway       Interface  Metric

          0.0.0.0          0.0.0.0   213.122.169.49   213.122.169.50    266

       10.10.10.0    255.255.255.0      192.168.0.2      192.168.0.1     11

        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306

        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306

  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306

      192.168.0.0    255.255.255.0         On-link       192.168.0.1    266

      192.168.0.1  255.255.255.255         On-link       192.168.0.1    266

    192.168.0.103  255.255.255.255    192.168.0.103    192.168.0.107     31

    192.168.0.107  255.255.255.255         On-link     192.168.0.107    286

    192.168.0.255  255.255.255.255         On-link       192.168.0.1    266

      192.168.9.0    255.255.255.0      192.168.0.2      192.168.0.1     11

    213.122.169.0    255.255.255.0         On-link    213.122.169.50    266

   213.122.169.50  255.255.255.255         On-link    213.122.169.50    266

   213.122.169.51  255.255.255.255         On-link    213.122.169.50    266

   213.122.169.52  255.255.255.255         On-link    213.122.169.50    266

   213.122.169.53  255.255.255.255         On-link    213.122.169.50    266

   213.122.169.54  255.255.255.255         On-link    213.122.169.50    266

   213.122.169.55  255.255.255.255         On-link    213.122.169.50    266

   213.122.169.56  255.255.255.255         On-link    213.122.169.50    266

   213.122.169.57  255.255.255.255         On-link    213.122.169.50    266

   213.122.169.58  255.255.255.255         On-link    213.122.169.50    266

   213.122.169.59  255.255.255.255         On-link    213.122.169.50    266

  213.122.169.255  255.255.255.255         On-link    213.122.169.50    266

        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306

        224.0.0.0        240.0.0.0         On-link       192.168.0.1    266

        224.0.0.0        240.0.0.0         On-link    213.122.169.50    266

        224.0.0.0        240.0.0.0         On-link     192.168.0.107    286

  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306

  255.255.255.255  255.255.255.255         On-link       192.168.0.1    266

  255.255.255.255  255.255.255.255         On-link    213.122.169.50    266

  255.255.255.255  255.255.255.255         On-link     192.168.0.107    286

===========================================================================

Persistent Routes:

  Network Address          Netmask  Gateway Address  Metric

      192.168.9.0    255.255.255.0      192.168.0.2       1

       10.10.10.0    255.255.255.0      192.168.0.2       1

The 192.168.9.x network range has been defined within the ISA Network tab to the “Internal Nic”

I’ve run the ISA BPA and that’s not detected a configuration issue.

Any thoughts on how to proceed?