We are trying to publish Exchange 2010 using MSFT Threat Management Gateway (TMG). The TMG servers sit behind a pair of F5 BIG-IPs running 10.x. We have completed all the steps outlined in the deployment guides, but are running into a problem where the F5s are detecting that the TMG servers are down (not listening on TCP 80). On the TMG servers, I can see the F5 attempts to connect on TCP 80 being denied with a response of "The policy rules do not allow the user request." We have tried adding a rule to allow all HTTP requests from the F5 IP range, but that did not help the cause.
Does anyone have any suggestions? It seems TMG does not trust the health monitor probes from the F5.
Deploying F5 with Microsoft Forefront Threat Management Gateway 2010
Deploying the BIG-IP System v10 with Microsoft Exchange Server 2010
For troubleshooting purposes, we dummied down the monitors, so they are just doing basic TCP 80 port checking. But, telnet tests on port 80 from the F5 to TMG are failing, and that is when we see the "The policy rules do not allow the user request" in the TMG logs.
Initially, with OWA for example, we were using the recommended monitor from the F5 deployment guide:
GET /owa/auth/logon.aspx?url=https://mail.example.com/owa/&reason=0 HTTP/1.1\r\nUser-Agent: Mozilla/4.0\r\nHost: mail.example.com\r\n\r\n