Forum Discussion

Adam_Miceli_144's avatar
Adam_Miceli_144
Icon for Nimbostratus rankNimbostratus
Jan 28, 2013

F5 detects TMG servers down

Hi,

 

We are trying to publish Exchange 2010 using MSFT Threat Management Gateway (TMG). The TMG servers sit behind a pair of F5 BIG-IPs running 10.x. We have completed all the steps outlined in the deployment guides, but are running into a problem where the F5s are detecting that the TMG servers are down (not listening on TCP 80). On the TMG servers, I can see the F5 attempts to connect on TCP 80 being denied with a response of "The policy rules do not allow the user request." We have tried adding a rule to allow all HTTP requests from the F5 IP range, but that did not help the cause.

 

Does anyone have any suggestions? It seems TMG does not trust the health monitor probes from the F5.

 

Thanks,

 

Adam

 

REFERENCES:

 

Deploying F5 with Microsoft Forefront Threat Management Gateway 2010

 

http://www.f5.com/pdf/deployment-gu...tmg-dg.pdf

 

Deploying the BIG-IP System v10 with Microsoft Exchange Server 2010

 

http://www.f5.com/pdf/deployment-gu...010-dg.pdf

 

 

microsoft
partner

5 Replies

Sort By
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Jan 28, 2013
    Adam, what kind of monitor are you using please? Also, is authorisation involved here?
  • Adam_Miceli_144's avatar
    Adam_Miceli_144
    Icon for Nimbostratus rankNimbostratus
    Jan 28, 2013

    Hi Steve,

     

    For troubleshooting purposes, we dummied down the monitors, so they are just doing basic TCP 80 port checking. But, telnet tests on port 80 from the F5 to TMG are failing, and that is when we see the "The policy rules do not allow the user request" in the TMG logs.

     

    Initially, with OWA for example, we were using the recommended monitor from the F5 deployment guide:

     

    GET /owa/auth/logon.aspx?url=https://mail.example.com/owa/&reason=0 HTTP/1.1\r\nUser-Agent: Mozilla/4.0\r\nHost: mail.example.com\r\n\r\n

     

    Adam

     

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Jan 28, 2013
    OK, so what happens when you use the recommended monitor, are there any log message? When the telnet fails, is it immediately or when you enter a request string? Have you tried curl instead, it's a bit more like a real client. Again, any auth involved?
  • Adam_Miceli_144's avatar
    Adam_Miceli_144
    Icon for Nimbostratus rankNimbostratus
    Jan 28, 2013
    Thanks for the help. I resolved the initial issue by adding "Local Host" as a destination on the TMG firewall rule for allowing F5 Health Monitor checks.

     

     

    Adam