Solved

TMG - Local/LAN traffic cannot get to the public/Wan nic

Posted on 2011-02-11
7
1,092 Views
Last Modified: 2013-11-16
Hi EE,

I'm new to TMG and I an having problems with the local users on the LAN nic accessing the internet via the WAN nic.  

Info:  TMG's nic for the WAN is IP=12.197.xx.xx, subnet=255.255.255.224, gateway=208.67.222.222.  The lan's ip=192.168.0.152, subnet=255.255.255.0, gateway=blank

1. From a local users machine I am unable to ping 192.168.0.152 (the lan nic) while successfully pinging other machines on the 192.168.0.0 network.
 
2. From the TMG machine, I can successfully ping all of the 192.168.0.0 devices, including the machine in item 1 above.

3. I have all the firewalls that Windows 2008r2 has listed turned off.

4. Does RRAS need to be installed?  

5. Does there need to be a route created for this to work?  I was under the impression the TMG basically setup this standard functionality out of the box.

6. I can access the internet and the lan devices via the TMG machine.

7. I have a web access rule that allows everything and is NATing.

8. I am new to TMG and multi-nic systems.

9. The TMG is set as an EDGE device.

10. The only DNS server I'm using is the one at OpenDNS which is 208.67.222.222

Please be as descriptive as possible as I am new to this.

Thanks, Stanley
0
Comment
Question by:stanlyn
  • 4
  • 3
7 Comments
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 34878304
The only dns server(s) you should be using are your internal DNS servers. neither FTMG or your internal servers should have ANY knowledge about external dns servers at all.
Reference to external DNS servers should be set in your DNS forwarders tab through the DNS Manager MMC snap-in on internal DNS servers.

To put that clearly, not a single nic - whether it be the the FTMG box, internal clients or servers - should have the external dns set in the nic - advanced properties.
Secondly, you need to have the FTMG internal nic bound first - assuming you have installed FTMG with more than one nic and are using it as a firewall & proxy rather than just a proxy server. I guess you are as you have used the edge template.

Obviously you need an access rule for dns outbound from the internal dns servers to external.

No - you do NOT need to install RRAS. No - FTMG does not install RRAS out of the box. If the configuration you implement requires it then FTMG will provide the service. If you have not set the config up that way then it will not use it.

Not quite sure how you have an external ip address of 12.x.y.z and a gateway of 208.x.y.z. Normally the gateway is on the same subnet as the external nic....... but if that is the detail your ISP has provided.....

Have you configured the clients browsers to use the FTMG settings? In the Internet options - connections - advanced settings - have you staed that they are to use a proxy and set the FTMG's internal IP address and port 8080?

You should do the same for the FTMG's own web browser also.

What are the access rules you have set. It would need - as a minimum to get you going before you streamline - the above mentioned DNS rule plus the following:
allow all protocols FROM internal and localhost TO internal & localhost
Allow http & https from internal & localhost to external.

What are your internal subnets - are all client machines on the 192.168.0.0 subnet? If not, you will need to add static routes on the FTMG telling it how to return traffic back to the various other internal subnets.






0
 

Author Comment

by:stanlyn
ID: 34879360
Sorry, correction... the gateway on the WAN is 12.197.y.z while the DNS server=208.67.222.222, and yes you are correct...

Currently I am not using any internal DNS server or AD.  The server is set as a "workgroup" machine for now until I can test some of the functionality of FTMG before moving onto AD.  I did read that it is OK for the FTMG machine to be part of a workgroup.  Is this correct or not?  I also noticed that a light version of AD is being installed.

Have you configured the clients browsers to use the FTMG settings? In the Internet options - connections - advanced settings - have you staed that they are to use a proxy and set the FTMG's internal IP address and port 8080?
 
I have never intended to use a proxy and have never set up one.  Does FTMG require this?

What are your internal subnets - are all client machines on the 192.168.0.0 subnet?
They are all on the 192.168.0.0 network.

Obviously you need an access rule for dns outbound from the internal dns servers to external.
Is this done inside FTMG?

You have cleared a lot up for me.  Any whitepapers or videos that you recommend for this simple setup (with no ad, proxies, dns and etc) for my testbed? If any of these items are required then OK, I'll deal with them.

Precisely what I'm trying to test is a bandwidth quota and limits addon application for/to FTMG, and currently I'm unable to get a single local machine on the LAN to get to the internet.

Any idea why the LAN nic in the FTMG machine will not respond to a tracert or a ping, while I can ping and tracert any of the machine connected to the LAN?

Thanks, Stanley



0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 34879398
Yes - FTMG can be part of a workgroup. If thre is no intenal Ad or dns name resolution service then obviously it needs to know about an external dns service. No - FTMG does not have to be used as a proxy - it can support SecureNAT clients where the default gateway of the internal machines points to the FTMG internal IP address. Even so, those internal clients will still need to resolve external addresses so DNS requests still have to pass out.

Take a step back. On an internal client, can it perform an nslookup for an external machine such as www.google.com? Does it get an ip address returned or does it fail?
open the ftmy gui - from the menu slect logs and reports. Select logs and click start query.
What do you see in the realtime log when an attempt is made from a client to an external service?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:stanlyn
ID: 34880695
SecureNAT clients
OK, what is this?  Is is part of the FTMG software as I've never heard of it.  Please explain.

where the default gateway of the internal machines points to the FTMG internal IP address
I'm doing that and that is where one of my problems is...  The internal machines have their gateway pointing to the FTMG machine and I cannot ping the FTMG machine from them.  I know its working because I can ping the other way to the internal machine from FTMG.

I'll try the nslookup and report back.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 34881998
A secureNAT client is where the client either has the default gateway pointing directly at the FTMG internal IP address or that traffic sent from the client will get to the FTMG due to underlying routing rules.

A link to my brief article on the various ISA and FTMG clients
http://www.experts-exchange.com/Microsoft/Windows_Security/A_422-ISA-Server-What-are-the-different-types-of-ISA-client-that-can-be-used.html?sfQueryTermInfo=1+30+alabast+keith

A link to another of my articles on how to setup your underlying environment for an ISA or FTMG implementation
http://www.experts-exchange.com/Microsoft/Windows_Security/A_1477-Configuring-ISA-2004-2006-Forefront-Threat-Management-Gateway-for-basic-networking-and-DNS-settings.html?sfQueryTermInfo=1+30+alabast+keith

Have you created an access rule that allows all ICMP traffic from internal & localhost TO internal & localhost or an alternative allow access rule that includes this traffic? If not, why would you 'expect' it to work - FTMG is a firewall and blocks traffic by default, not allows it.

0
 

Author Closing Comment

by:stanlyn
ID: 35451579
I'm a newbee to some of this stuff and still learning.  Maybe later I'll be able to ask better questions...
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 35452078
"I'm a newbee to some of this stuff and still learning.  Maybe later I'll be able to ask better questions... "

Nothing wrong with the question you asked here. No-one knows everything and you only learn properly by asking questions, reading up and trying to do it yourself.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now