Solved

TMG - Local/LAN traffic cannot get to the public/Wan nic

Posted on 2011-02-11
7
1,090 Views
Last Modified: 2013-11-16
Hi EE,

I'm new to TMG and I an having problems with the local users on the LAN nic accessing the internet via the WAN nic.  

Info:  TMG's nic for the WAN is IP=12.197.xx.xx, subnet=255.255.255.224, gateway=208.67.222.222.  The lan's ip=192.168.0.152, subnet=255.255.255.0, gateway=blank

1. From a local users machine I am unable to ping 192.168.0.152 (the lan nic) while successfully pinging other machines on the 192.168.0.0 network.
 
2. From the TMG machine, I can successfully ping all of the 192.168.0.0 devices, including the machine in item 1 above.

3. I have all the firewalls that Windows 2008r2 has listed turned off.

4. Does RRAS need to be installed?  

5. Does there need to be a route created for this to work?  I was under the impression the TMG basically setup this standard functionality out of the box.

6. I can access the internet and the lan devices via the TMG machine.

7. I have a web access rule that allows everything and is NATing.

8. I am new to TMG and multi-nic systems.

9. The TMG is set as an EDGE device.

10. The only DNS server I'm using is the one at OpenDNS which is 208.67.222.222

Please be as descriptive as possible as I am new to this.

Thanks, Stanley
0
Comment
Question by:stanlyn
  • 4
  • 3
7 Comments
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 34878304
The only dns server(s) you should be using are your internal DNS servers. neither FTMG or your internal servers should have ANY knowledge about external dns servers at all.
Reference to external DNS servers should be set in your DNS forwarders tab through the DNS Manager MMC snap-in on internal DNS servers.

To put that clearly, not a single nic - whether it be the the FTMG box, internal clients or servers - should have the external dns set in the nic - advanced properties.
Secondly, you need to have the FTMG internal nic bound first - assuming you have installed FTMG with more than one nic and are using it as a firewall & proxy rather than just a proxy server. I guess you are as you have used the edge template.

Obviously you need an access rule for dns outbound from the internal dns servers to external.

No - you do NOT need to install RRAS. No - FTMG does not install RRAS out of the box. If the configuration you implement requires it then FTMG will provide the service. If you have not set the config up that way then it will not use it.

Not quite sure how you have an external ip address of 12.x.y.z and a gateway of 208.x.y.z. Normally the gateway is on the same subnet as the external nic....... but if that is the detail your ISP has provided.....

Have you configured the clients browsers to use the FTMG settings? In the Internet options - connections - advanced settings - have you staed that they are to use a proxy and set the FTMG's internal IP address and port 8080?

You should do the same for the FTMG's own web browser also.

What are the access rules you have set. It would need - as a minimum to get you going before you streamline - the above mentioned DNS rule plus the following:
allow all protocols FROM internal and localhost TO internal & localhost
Allow http & https from internal & localhost to external.

What are your internal subnets - are all client machines on the 192.168.0.0 subnet? If not, you will need to add static routes on the FTMG telling it how to return traffic back to the various other internal subnets.






0
 

Author Comment

by:stanlyn
ID: 34879360
Sorry, correction... the gateway on the WAN is 12.197.y.z while the DNS server=208.67.222.222, and yes you are correct...

Currently I am not using any internal DNS server or AD.  The server is set as a "workgroup" machine for now until I can test some of the functionality of FTMG before moving onto AD.  I did read that it is OK for the FTMG machine to be part of a workgroup.  Is this correct or not?  I also noticed that a light version of AD is being installed.

Have you configured the clients browsers to use the FTMG settings? In the Internet options - connections - advanced settings - have you staed that they are to use a proxy and set the FTMG's internal IP address and port 8080?
 
I have never intended to use a proxy and have never set up one.  Does FTMG require this?

What are your internal subnets - are all client machines on the 192.168.0.0 subnet?
They are all on the 192.168.0.0 network.

Obviously you need an access rule for dns outbound from the internal dns servers to external.
Is this done inside FTMG?

You have cleared a lot up for me.  Any whitepapers or videos that you recommend for this simple setup (with no ad, proxies, dns and etc) for my testbed? If any of these items are required then OK, I'll deal with them.

Precisely what I'm trying to test is a bandwidth quota and limits addon application for/to FTMG, and currently I'm unable to get a single local machine on the LAN to get to the internet.

Any idea why the LAN nic in the FTMG machine will not respond to a tracert or a ping, while I can ping and tracert any of the machine connected to the LAN?

Thanks, Stanley



0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 34879398
Yes - FTMG can be part of a workgroup. If thre is no intenal Ad or dns name resolution service then obviously it needs to know about an external dns service. No - FTMG does not have to be used as a proxy - it can support SecureNAT clients where the default gateway of the internal machines points to the FTMG internal IP address. Even so, those internal clients will still need to resolve external addresses so DNS requests still have to pass out.

Take a step back. On an internal client, can it perform an nslookup for an external machine such as www.google.com? Does it get an ip address returned or does it fail?
open the ftmy gui - from the menu slect logs and reports. Select logs and click start query.
What do you see in the realtime log when an attempt is made from a client to an external service?
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:stanlyn
ID: 34880695
SecureNAT clients
OK, what is this?  Is is part of the FTMG software as I've never heard of it.  Please explain.

where the default gateway of the internal machines points to the FTMG internal IP address
I'm doing that and that is where one of my problems is...  The internal machines have their gateway pointing to the FTMG machine and I cannot ping the FTMG machine from them.  I know its working because I can ping the other way to the internal machine from FTMG.

I'll try the nslookup and report back.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 34881998
A secureNAT client is where the client either has the default gateway pointing directly at the FTMG internal IP address or that traffic sent from the client will get to the FTMG due to underlying routing rules.

A link to my brief article on the various ISA and FTMG clients
http://www.experts-exchange.com/Microsoft/Windows_Security/A_422-ISA-Server-What-are-the-different-types-of-ISA-client-that-can-be-used.html?sfQueryTermInfo=1+30+alabast+keith

A link to another of my articles on how to setup your underlying environment for an ISA or FTMG implementation
http://www.experts-exchange.com/Microsoft/Windows_Security/A_1477-Configuring-ISA-2004-2006-Forefront-Threat-Management-Gateway-for-basic-networking-and-DNS-settings.html?sfQueryTermInfo=1+30+alabast+keith

Have you created an access rule that allows all ICMP traffic from internal & localhost TO internal & localhost or an alternative allow access rule that includes this traffic? If not, why would you 'expect' it to work - FTMG is a firewall and blocks traffic by default, not allows it.

0
 

Author Closing Comment

by:stanlyn
ID: 35451579
I'm a newbee to some of this stuff and still learning.  Maybe later I'll be able to ask better questions...
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 35452078
"I'm a newbee to some of this stuff and still learning.  Maybe later I'll be able to ask better questions... "

Nothing wrong with the question you asked here. No-one knows everything and you only learn properly by asking questions, reading up and trying to do it yourself.
0

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Join & Write a Comment

This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
Resolve DNS query failed errors for Exchange
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now