So all traffic from a branch office should be sent over a vpn to the headoffice then forwarded to The TMG (Microsoft forefront) which provides logging, filtering and policy application. If the traffic conforms to policy it will be routed via the ASA towads the internet.
So far the thoughts are:
Hairpin routing isn't applicable as we went to send the traffic to the TMG.
We can't set a default route to forward all traffic to the TMG as this would break everything.
Multiple context not possible as no VPN support.
There is no policy based routing on the asa so we can't direct traffic coming from vpn to the TMG.
We have applied PBR on the site router to set the next-hop recursive field on the packet to the TMG IP, but the traffic is not being forwarded via the VPN.
Which interface of the ASA do you terminate the VPN on? I believe the VPN is terminated on the outside interface of the ASA which is where the Internet is routed? is that correct? however you would like to push all the VPN traffic towards the TMG which is connected to ASA DMZ interface?
If that is the case, you can configure tunnel default gateway to send all traffic from the VPN tunnel towards the TMG server.
Here is the command for your reference:
route dmz 0.0.0.0 0.0.0.0 tunneled
That will force all traffic from VPN tunnel towards TMG server.
But the question is would the traffic towards the Internet then be initiated from the TMG server itself after being inspected? or the source of the traffic will still be the actual branch office LAN IP?
I've attached a diagram of what we are trying to achieve, I came accross the concept of tunneled routes in the ASA cli config documentation, but didn't realise that they were specifically related to VPN traffic.
The TMG acts as a transparent proxy, so traffic will be routed to the TMG interface on the DMZ network and if allowed will routed from the TMG on a different interface to the ASA to be routed out onto the web.
Would it be better to move the remote offices onto a dedicated interface? The DMZ is also used by web servers, and their traffic does not need to be inspected by the TMG.
So after it has been inspected by the TMG, what would be the source of the web traffic towards the internet? Would it be sourced from the TMG or it would just be sourced from the remote office LAN itself?
Also, how would the return traffic from the internet works? is it supposed to be routed back towards the TMG, or it will go directly back to the remote office LAN?