Troubleshooting TMG E-Mail Policy - Wrong IP used for Outgoing SMTP
TMG+Edge+FPE - The case of the wrong outgoing IP for SMTP messages.
Thursday, January 19, 2012
1:53 PM
When using more than one IP address for your External Network, you have to be aware that Windows 2008 R2 by default uses the lowest number IP address as the default and TMG will pick that up. This can be confirmed in TMG by going to Networking > and selecting the properties of the External Interface. As a result, any outgoing traffic will originate from that default address.
A neat way to modify this is to use the Enhanced NAT feature in TMG, which can be configured in the Networking > Network Rules settings. This allows you to customize an IP address as the source address for a particular existing rule like Internet Access or you can create a custom network rule with whatever source network, computer or address you select.
The catch is you cannot use ENAT with the Source Network being an External interface address because it's not NAT'd by TMG. Also protocol based enhanced NAT is not supported. So, if you have TMG+Edge+FPE installed on a single box and are using the E-Mail policy feature and have a SMTP listener setup using the External interface, any outgoing SMTP mail will be stamped with the default IP address or lowest IP instead of the higher IP address you may have selected for your SMTP listener. If the IP doesn’t match your SMTP MX records you may have a problem on your hands and email can be rejected due to failed RDNS lookups by email systems and SPAM filtering devices.
This will hold true whether your TMG servers External interface is using a public address or whether you are using a private IP range for your External Interface and your TMG server is behind another Firewall device which NATs to the outside world.
You can verify the outgoing IP by inspecting the email header. Check the message queue on the Edge server for any stalled messages.
So how do you get around this?
The only solution I have found is to use the lowest number IP address for your SMTP listener in your E-Mail policy and adjust your MX records as needed to reflect the same addressing. If the Edge server were running on a separate server other than the TMG server itself, ENAT could be used to address this but since in this scenario the TMG and Edge are on the same box, it appears this is the only solution. So be careful to test outbound mail before putting your TMG=Edge+FPE solution into production!
For related information, please see the links below.
Links:
Enhancing NAT with TMG
http://blogs.technet.com/b/yuridiogenes/archive/2009/09/13/enhancing-nat-with-tmg.aspx
Forefront TMG 2010 - originating IP for outgoing traffic from local host
**
**http://social.technet.microsoft.com/Forums/en/ForefrontedgePub/thread/52b08c5d-6652-4d79-8f46-f9125905d73d
The functionality for source IP address selection in Windows Server 2008 and in Windows Vista differs from the corresponding functionality in earlier versions of Windows
http://support.microsoft.com/default.aspx?scid=kb;EN-US;969029