?
Solved

How to configure wireless connection with TMG 2010

Posted on 2011-03-20
26
Medium Priority
?
2,757 Views
Last Modified: 2012-05-11
Hi there, I need some advice here please.

All company clients (wireless and wired) automatically have their settings (IP address, gateway, etc.) taken from the DHCP server. Everyone is connected to the Internet through UNIX firewall.
 
New TMG 2010 firewall has been recently installed. This firewall is connected to the different ISP provider and will be used exclusively by IT department team. If IT staff member needs to connect to the Internet through TMG all they have to do is to change their IE or Firefox proxy settings. Everything works fine for the IT staff when they use network cable but not on wireless.

Could someone please give me advice on what exactly need to be done so that IT staff can browse the Internet through TMG firewall wirelessly?  As I have mentioned before wireless clients can browse the Internet through UNIX firewall without any problems.

Thanks in advance.
VLAN.jpg
0
Comment
Question by:Olevo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 7
  • 5
  • +2
26 Comments
 
LVL 4

Expert Comment

by:needleboy
ID: 35175104
Hi there,

what's is 192.168.0.10?
IP address of router?
TMG is connected directly to this device?
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 35175121
Any spoof attack  detected on TMG server ? from monitoring --> alerts
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 35175123
another thing, Can TMG ping any wireless connected pc ?
0
Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

 
LVL 1

Author Comment

by:Olevo
ID: 35175162
TMG is not directly connected to the router.  192.168.0.10 is the IP interface of the router connected to the Wireless LAN and 172.16.0.10 is router interface to the LAN

This is obvious routing problems for the wireless clients. They have their settings from the DHCP server, but they have no idea about TMG as a gateway. Changing proxy settings in IE to use TMG doesn’t work here. TMG detect this as a spoofed traffic and is blocking all communication from the wireless client.

I’m guessing that something need to be changed in the router or perhaps additional NIC needs to be installed in the TMG firewall and connected to the router (192.168.0.10)
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 35175167
please try this first :

http://support.microsoft.com/kb/838114
0
 
LVL 1

Author Comment

by:Olevo
ID: 35175210
To  Sulimanw:
Thanks for the info. I’ll try that tomorrow at work. Assuming that this “disabling the IP Spoof Detection…” will fix my problem, is that a good idea to not to have IP Spoof Detection at all?! Or, I’m missing something here?!
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 35175275
Spoof attack detection :
http://en.wikipedia.org/wiki/ARP_spoofing

in your case, when TMG tries to resolve the source ip address to MAC address, using ARP protocol, it will get the router MAC address (172.16.0.10) and that is not true. so TMG will consider the source ip address as spoofed one.

for sure it is a good idea to keep spoof attack enabled, but in your case, disabling this feature is the only option.


I had the same issue 2 years ago ( on ISA server).
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 35176509
Are all of the IP addresses associated with both the Wireles subnet and the wired lan subnet included in the local address table of the TMG internal NIC via the FTMG GUI including the .0 and the .255 addresses?
0
 
LVL 4

Assisted Solution

by:needleboy
needleboy earned 800 total points
ID: 35176652
You must define network 192.168.0.0/24 as private network in TMG.
Than you can allow wireless clients to accees the internet by creating a firewall rule or modifying existing one.
0
 
LVL 1

Author Comment

by:Olevo
ID: 35177483
As Sulimanw suggested I have created new registry key to temporary disable the IP Spoof Detection on TMG. No more spoofing alerts in TMG logs, however wireless client still can’t connect to the Internet through the TMG?! This time I can see successful initiated connection from wireless client and strait away connection is close with status: “A connection was abortively closed after one of the peers sent an RST packet”. Wireless clients get their settings from DHCP server. As an example here – Client 2 (IP: 192.168.0.100/24, gateway: 192.168.0.10). The only thing I’m changing here in wireless client is IE browser proxy settings (pointing to 172.16.0.2:8080). Is something else needs to be created/changed on TMG firewall?
 
The “work-around” above is kind of temporary fix for us. I don’t like the idea of disabling the IP Spoof Detection on TMG. I like the needleboy proposal of define network 192.168.0.0/24 as private network in TMG and creating appropriate access rule for it. Now, how, actually you do this? Currently TMG doesn’t have NIC with 192.168.0.x Is that mean I need to install one more NIC in TMG, define it as private and connect to the 192.168.0.0/24 network?

To   keith_alabaster:
Do I need to add wireless range (192.168.0.0/24) to the Internal Properties? Please see at picture provided.
   



Internal.jpg
0
 
LVL 1

Author Comment

by:Olevo
ID: 35177545
Here is another thing. TMG is connected to the ADSL router with the NIC set as 192.168.0.2/24 and as you can see this is the same network rage being in used for the wireless clients. I’m guessing that you cannot add 192.168.0.0 to be a privet network in TMG?!    
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 800 total points
ID: 35178500
If the wireless IP addresses are located on the internal side of the FTMG then yes. If they are located on the external side of FTMG then no. This is what needleboy is telling you as well.

Why would anyone want to turn off spoof detection? This is like disconnecting the burgalar alarm siren - the siren never goes off so I can't be being burgled. And hey, if I DO get burgled multiple times I will not know about it as the warning siren will never go off.

0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 35178681
I dont know what do you mean by "needleboy".

then, adding the wireless range to TMG internal network is more secure than disabling spoof attack detection on TMG server.

>>"Here is another thing. TMG is connected to the ADSL router with the NIC set as 192.168.0.2/24 and as you can see this is the same network rage being in used for the wireless clients. I’m guessing that you cannot add 192.168.0.0 to be a privet network in TMG?! "

thats true, you cant have 192.168.0.x range on internal network since this range is directly attached to external NIC.
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 35178691
Sorry for "I dont know what do you mean by "needleboy"."

I have just released that it is a member account name.

sorry again.
0
 
LVL 1

Author Comment

by:Olevo
ID: 35180361
Summarising all info above, here is my plan of action. Please correct me if I wrong.

1. Enabling the IP Spoof Detection back on TMG
2. Because of wireless subnet (192.168.0.0./24) we need to change external (public) TMG interface (currently set as 192.168.0.2/24) to be different, let’s say -10.0.0.1
3. Installing additional network card in TMG and assigning 192.168.0.x address to it.
4. Adding wireless range (192.168.0.0/24) to the Internal Network
5. Perhaps, some additional rules in TMG need to be created?!

Did I miss anything?
0
 
LVL 1

Author Comment

by:Olevo
ID: 35180374
I’m guessing that I have missed one step between 3 and 4. Which is connecting new nic to the wireless range
0
 
LVL 4

Assisted Solution

by:needleboy
needleboy earned 800 total points
ID: 35181373
Don't install another NIC. Simpy add subnet 192.168.0.0/24 to internal properties box you posted above.
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 35185636
agree with needleboy.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 35186835
As I asked/stated in my very first post.
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 400 total points
ID: 35208134
needleboy:
Don't install another NIC. Simpy add subnet 192.168.0.0/24 to internal properties box you posted above.


AND,...add a route to the Routing table on the ISA/TMG machine that tells it to use 176.16.0.10 as the gateway to get to the 192.168.0.x network

route add -p 192.169.0.0 mask 255.255.255.0 172.16.0.10
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35208168
Olevo:
TMG is not directly connected to the router.  192.168.0.10 is the IP interface of the router connected to the Wireless LAN and 172.16.0.10 is router interface to the LAN


Yes the ISA is directly connected to that LAN router.  The Internal Nic and the router interface are in the same subnet,...that,...by definition,...means they are directly connected,...it makes no difference how many hubs, switch, etc, are between them.
0
 
LVL 1

Author Comment

by:Olevo
ID: 35229031
To minimise the impact of distractions to the wireless clients we need to leave DHCP wireless scope settings “as is”. However, I can change TMG external interface (ADSL connection). Or, maybe I don’t need to change anything for TMG?! Here is why. Currently IP scope for the wireless client is set to be 192.168.100.0/22 (mask: 255.255.252.0) and TMG external nic is set to 192.168.0.2/24 (mask: 255.255.255.0) Sorry, my network diagram is a bit wrong here, router nic for the wireless network currently is set as 192.168.100.1 (on diagram showing as 192.168.0.10) My IP sub-netting skills probably a bit rusty now but… from what I can see here, wireless clients will be always having IP address between 192.168.100.1 and 192.168.103.254 (total hosts: 1,022) with gateway of 192.16.100.1 and TMG external nic will be inside 192.168.0.1 and 192.168.0.254 range (total hosts: 254) with gateway of 192.168.0.1 (ADSL modem) Even though both IP ranges belong to class C network they are on different subnets, are they?!
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 35229386
Absolutely
0
 
LVL 1

Author Comment

by:Olevo
ID: 35364131
All ok now. All I did is (per keith_alabaster advice) added IP address range of wireless clients 192.168.100.1 - 192.168.102.254 to the properties of internal network. Plus, as  pwindell advised, added static route to the 192.168.100.0 network that uses a subnet mask of 255.255.252.0 and a gateway of 172.16.101.1
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 800 total points
ID: 35364194
"Are all of the IP addresses associated with both the Wireles subnet and the wired lan subnet included in the local address table of the TMG internal NIC via the FTMG GUI including the .0 and the .255 addresses?"

Don't forget that addreeses in the gui - internal network properites addresses should inlude the .0 and the .255 addresses but glad it has moved forward.
0
 
LVL 1

Author Comment

by:Olevo
ID: 35480214
Sorry, I was very busy and didn’t have time to go through points assignments. Will do it shortly.
0

Featured Post

Plug and play, no additional software required!

The ATEN UE3310 USB3.1 Gen1 Extender Cable allows users to extend the distance between the computer and USB devices up to 10 m (33 ft). The UE3310 is a high-quality, cost-effective solution for professional environments such as hospitals, factories and business facilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello to you all, I hear of many people congratulate AWS (Amazon Web Services) on how easy it is to spin up and create new EC2 (Elastic Compute Cloud) instances, but then fail and struggle to connect to them using simple tools such as SSH (Secure…
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question