Solved

Internal Routing Problem -- MS Forefront TMG & RRAS

Posted on 2010-09-14
5
1,601 Views
Last Modified: 2012-05-10
I have the following topology:

SERVER1
10.99.99.10
------------
10.99.99.1
FOREFRONT TMG
192.168.0.18
------------
192.168.0.250
SERVER2003 RRAS
192.168.2.250
------------
192.168.2.12
USER-PC1

I need to get SERVER1 to ping USER-PC1 and vice versa
What routing rules do I need to implement on FOREFRONT TMG and SERVER2003 RRAS ?
Can you please be specific in any answer?  What steps would I take on each machine?

Finally, what firewall policies I must configure on FOREFRONT TMG to make this work?
Thanks!
0
Comment
Question by:CANI
  • 3
5 Comments
 
LVL 2

Expert Comment

by:bornskir
ID: 33675398
Make sure default routes are configured correctly on the USER-PC1 and SERVER1

Configure a static route on FOREFRONT TMG

192.168.2.0 255.255.255.0 192.168.0.250

This will send all traffic for the 192.168.2.x subnet through 192.168.0.250.

On SERVER2003 RRAS, you will probably need to setup a static route:

10.99.99.0 255.255.255.0 192.168.0.18


As for firewall rules, that depends on what traffic you need.  Just for ping, make sure ICMP is allowed.
0
 

Author Comment

by:CANI
ID: 33681476
Great, I actually had that setup already.  Just wanted to confirm my logic was right.  

The issue persists:  USER-PC1 cannot ping FOREFRONT TMG.  

(USER-PC1 can ping other nodes on the 192.168.0.0 network, so I believe SERVER2003 RRAS is working fine)

I believe this is because Forefront TMG is dropping packets from the 2 subnet.  I've tried adding Firewall Policies to accept traffic from the 2 subnet but it's still not working.  Additionally Forefront TMG doesn't seem to be routing packets on to the 10.99.99.0 network ... I'm thinking it's another firewall policy problem.
0
 

Author Comment

by:CANI
ID: 33681488
Thought I'd throw in that SERVER2003 RRAS can ping FOREFRONT TMG just fine.
0
 
LVL 10

Expert Comment

by:simonlimon
ID: 33695028
Can you try pinging tmg from user 1 and see what happens under session states?

Tmg console logs and reports > logging tab

Make sure you log all traffic from192.168.2.12
0
 

Accepted Solution

by:
CANI earned 0 total points
ID: 33695349
Thanks for the tip on the logging.

The issue here was that the "Internal Network" as defined on TMG only contained the 192.168.0.0 Subnet.  Once I added the 192.168.0.2 subnet (Networking>Networks>Double click Internal, Add Range), it started working.  It seems that no matter what's defined in the Firewall Policy, the IPs must be defined as some kind of Network first in order to pass traffic.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows Server 2003 Policy Preventing Updates 6 49
route-map permit with a number 1 34
Cisco WRVS4400N 11 36
Raising Forest Functional Level 9 30
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question