Link to home
Start Free TrialLog in
Avatar of stanlyn
stanlyn

asked on

TMG - Local/LAN traffic cannot get to the public/Wan nic

Hi EE,

I'm new to TMG and I an having problems with the local users on the LAN nic accessing the internet via the WAN nic.  

Info:  TMG's nic for the WAN is IP=12.197.xx.xx, subnet=255.255.255.224, gateway=208.67.222.222.  The lan's ip=192.168.0.152, subnet=255.255.255.0, gateway=blank

1. From a local users machine I am unable to ping 192.168.0.152 (the lan nic) while successfully pinging other machines on the 192.168.0.0 network.
 
2. From the TMG machine, I can successfully ping all of the 192.168.0.0 devices, including the machine in item 1 above.

3. I have all the firewalls that Windows 2008r2 has listed turned off.

4. Does RRAS need to be installed?  

5. Does there need to be a route created for this to work?  I was under the impression the TMG basically setup this standard functionality out of the box.

6. I can access the internet and the lan devices via the TMG machine.

7. I have a web access rule that allows everything and is NATing.

8. I am new to TMG and multi-nic systems.

9. The TMG is set as an EDGE device.

10. The only DNS server I'm using is the one at OpenDNS which is 208.67.222.222

Please be as descriptive as possible as I am new to this.

Thanks, Stanley
ASKER CERTIFIED SOLUTION
Avatar of Keith Alabaster
Keith Alabaster
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of stanlyn
stanlyn

ASKER

Sorry, correction... the gateway on the WAN is 12.197.y.z while the DNS server=208.67.222.222, and yes you are correct...

Currently I am not using any internal DNS server or AD.  The server is set as a "workgroup" machine for now until I can test some of the functionality of FTMG before moving onto AD.  I did read that it is OK for the FTMG machine to be part of a workgroup.  Is this correct or not?  I also noticed that a light version of AD is being installed.

Have you configured the clients browsers to use the FTMG settings? In the Internet options - connections - advanced settings - have you staed that they are to use a proxy and set the FTMG's internal IP address and port 8080?
 
I have never intended to use a proxy and have never set up one.  Does FTMG require this?

What are your internal subnets - are all client machines on the 192.168.0.0 subnet?
They are all on the 192.168.0.0 network.

Obviously you need an access rule for dns outbound from the internal dns servers to external.
Is this done inside FTMG?

You have cleared a lot up for me.  Any whitepapers or videos that you recommend for this simple setup (with no ad, proxies, dns and etc) for my testbed? If any of these items are required then OK, I'll deal with them.

Precisely what I'm trying to test is a bandwidth quota and limits addon application for/to FTMG, and currently I'm unable to get a single local machine on the LAN to get to the internet.

Any idea why the LAN nic in the FTMG machine will not respond to a tracert or a ping, while I can ping and tracert any of the machine connected to the LAN?

Thanks, Stanley



Yes - FTMG can be part of a workgroup. If thre is no intenal Ad or dns name resolution service then obviously it needs to know about an external dns service. No - FTMG does not have to be used as a proxy - it can support SecureNAT clients where the default gateway of the internal machines points to the FTMG internal IP address. Even so, those internal clients will still need to resolve external addresses so DNS requests still have to pass out.

Take a step back. On an internal client, can it perform an nslookup for an external machine such as www.google.com? Does it get an ip address returned or does it fail?
open the ftmy gui - from the menu slect logs and reports. Select logs and click start query.
What do you see in the realtime log when an attempt is made from a client to an external service?
Avatar of stanlyn

ASKER

SecureNAT clients
OK, what is this?  Is is part of the FTMG software as I've never heard of it.  Please explain.

where the default gateway of the internal machines points to the FTMG internal IP address
I'm doing that and that is where one of my problems is...  The internal machines have their gateway pointing to the FTMG machine and I cannot ping the FTMG machine from them.  I know its working because I can ping the other way to the internal machine from FTMG.

I'll try the nslookup and report back.
A secureNAT client is where the client either has the default gateway pointing directly at the FTMG internal IP address or that traffic sent from the client will get to the FTMG due to underlying routing rules.

A link to my brief article on the various ISA and FTMG clients
https://www.experts-exchange.com/Microsoft/Windows_Security/A_422-ISA-Server-What-are-the-different-types-of-ISA-client-that-can-be-used.html?sfQueryTermInfo=1+30+alabast+keith

A link to another of my articles on how to setup your underlying environment for an ISA or FTMG implementation
https://www.experts-exchange.com/Microsoft/Windows_Security/A_1477-Configuring-ISA-2004-2006-Forefront-Threat-Management-Gateway-for-basic-networking-and-DNS-settings.html?sfQueryTermInfo=1+30+alabast+keith

Have you created an access rule that allows all ICMP traffic from internal & localhost TO internal & localhost or an alternative allow access rule that includes this traffic? If not, why would you 'expect' it to work - FTMG is a firewall and blocks traffic by default, not allows it.

Avatar of stanlyn

ASKER

I'm a newbee to some of this stuff and still learning.  Maybe later I'll be able to ask better questions...
"I'm a newbee to some of this stuff and still learning.  Maybe later I'll be able to ask better questions... "

Nothing wrong with the question you asked here. No-one knows everything and you only learn properly by asking questions, reading up and trying to do it yourself.