Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

F5 detects TMG servers down

Hi,

We are trying to publish Exchange 2010 using MSFT Threat Management Gateway (TMG). The TMG servers sit behind a pair of F5 BIG-IPs running 10.x. We have completed all the steps outlined in the deployment guides, but are running into a problem where the F5s are detecting that the TMG servers are down (not listening on TCP 80). On the TMG servers, I can see the F5 attempts to connect on TCP 80 being denied with a response of "The policy rules do not allow the user request." We have tried adding a rule to allow all HTTP requests from the F5 IP range, but that did not help the cause.

Does anyone have any suggestions? It seems TMG does not trust the health monitor probes from the F5.

Thanks,

Adam

REFERENCES:

Deploying F5 with Microsoft Forefront Threat Management Gateway 2010

http://www.f5.com/pdf/deployment-gu...tmg-dg.pdf

Deploying the BIG-IP System v10 with Microsoft Exchange Server 2010

http://www.f5.com/pdf/deployment-gu...010-dg.pdf

 

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Adam, what kind of monitor are you using please? Also, is authorisation involved here?
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Steve,

For troubleshooting purposes, we dummied down the monitors, so they are just doing basic TCP 80 port checking. But, telnet tests on port 80 from the F5 to TMG are failing, and that is when we see the "The policy rules do not allow the user request" in the TMG logs.

Initially, with OWA for example, we were using the recommended monitor from the F5 deployment guide:

GET /owa/auth/logon.aspx?url=https://mail.example.com/owa/&reason=0 HTTP/1.1\r\nUser-Agent: Mozilla/4.0\r\nHost: mail.example.com\r\n\r\n

Adam

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
OK, so what happens when you use the recommended monitor, are there any log message? When the telnet fails, is it immediately or when you enter a request string? Have you tried curl instead, it's a bit more like a real client. Again, any auth involved?
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Thanks for the help. I resolved the initial issue by adding "Local Host" as a destination on the TMG firewall rule for allowing F5 Health Monitor checks.

Adam
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Great. You're welcome.
0