Solved

How to configure wireless connection with TMG 2010

Posted on 2011-03-20
26
2,619 Views
Last Modified: 2012-05-11
Hi there, I need some advice here please.

All company clients (wireless and wired) automatically have their settings (IP address, gateway, etc.) taken from the DHCP server. Everyone is connected to the Internet through UNIX firewall.
 
New TMG 2010 firewall has been recently installed. This firewall is connected to the different ISP provider and will be used exclusively by IT department team. If IT staff member needs to connect to the Internet through TMG all they have to do is to change their IE or Firefox proxy settings. Everything works fine for the IT staff when they use network cable but not on wireless.

Could someone please give me advice on what exactly need to be done so that IT staff can browse the Internet through TMG firewall wirelessly?  As I have mentioned before wireless clients can browse the Internet through UNIX firewall without any problems.

Thanks in advance.
VLAN.jpg
0
Comment
Question by:Olevo
  • 9
  • 7
  • 5
  • +2
26 Comments
 
LVL 4

Expert Comment

by:needleboy
Comment Utility
Hi there,

what's is 192.168.0.10?
IP address of router?
TMG is connected directly to this device?
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
Comment Utility
Any spoof attack  detected on TMG server ? from monitoring --> alerts
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
Comment Utility
another thing, Can TMG ping any wireless connected pc ?
0
 
LVL 1

Author Comment

by:Olevo
Comment Utility
TMG is not directly connected to the router.  192.168.0.10 is the IP interface of the router connected to the Wireless LAN and 172.16.0.10 is router interface to the LAN

This is obvious routing problems for the wireless clients. They have their settings from the DHCP server, but they have no idea about TMG as a gateway. Changing proxy settings in IE to use TMG doesn’t work here. TMG detect this as a spoofed traffic and is blocking all communication from the wireless client.

I’m guessing that something need to be changed in the router or perhaps additional NIC needs to be installed in the TMG firewall and connected to the router (192.168.0.10)
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
Comment Utility
please try this first :

http://support.microsoft.com/kb/838114
0
 
LVL 1

Author Comment

by:Olevo
Comment Utility
To  Sulimanw:
Thanks for the info. I’ll try that tomorrow at work. Assuming that this “disabling the IP Spoof Detection…” will fix my problem, is that a good idea to not to have IP Spoof Detection at all?! Or, I’m missing something here?!
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
Comment Utility
Spoof attack detection :
http://en.wikipedia.org/wiki/ARP_spoofing

in your case, when TMG tries to resolve the source ip address to MAC address, using ARP protocol, it will get the router MAC address (172.16.0.10) and that is not true. so TMG will consider the source ip address as spoofed one.

for sure it is a good idea to keep spoof attack enabled, but in your case, disabling this feature is the only option.


I had the same issue 2 years ago ( on ISA server).
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Are all of the IP addresses associated with both the Wireles subnet and the wired lan subnet included in the local address table of the TMG internal NIC via the FTMG GUI including the .0 and the .255 addresses?
0
 
LVL 4

Assisted Solution

by:needleboy
needleboy earned 200 total points
Comment Utility
You must define network 192.168.0.0/24 as private network in TMG.
Than you can allow wireless clients to accees the internet by creating a firewall rule or modifying existing one.
0
 
LVL 1

Author Comment

by:Olevo
Comment Utility
As Sulimanw suggested I have created new registry key to temporary disable the IP Spoof Detection on TMG. No more spoofing alerts in TMG logs, however wireless client still can’t connect to the Internet through the TMG?! This time I can see successful initiated connection from wireless client and strait away connection is close with status: “A connection was abortively closed after one of the peers sent an RST packet”. Wireless clients get their settings from DHCP server. As an example here – Client 2 (IP: 192.168.0.100/24, gateway: 192.168.0.10). The only thing I’m changing here in wireless client is IE browser proxy settings (pointing to 172.16.0.2:8080). Is something else needs to be created/changed on TMG firewall?
 
The “work-around” above is kind of temporary fix for us. I don’t like the idea of disabling the IP Spoof Detection on TMG. I like the needleboy proposal of define network 192.168.0.0/24 as private network in TMG and creating appropriate access rule for it. Now, how, actually you do this? Currently TMG doesn’t have NIC with 192.168.0.x Is that mean I need to install one more NIC in TMG, define it as private and connect to the 192.168.0.0/24 network?

To   keith_alabaster:
Do I need to add wireless range (192.168.0.0/24) to the Internal Properties? Please see at picture provided.
   



Internal.jpg
0
 
LVL 1

Author Comment

by:Olevo
Comment Utility
Here is another thing. TMG is connected to the ADSL router with the NIC set as 192.168.0.2/24 and as you can see this is the same network rage being in used for the wireless clients. I’m guessing that you cannot add 192.168.0.0 to be a privet network in TMG?!    
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 200 total points
Comment Utility
If the wireless IP addresses are located on the internal side of the FTMG then yes. If they are located on the external side of FTMG then no. This is what needleboy is telling you as well.

Why would anyone want to turn off spoof detection? This is like disconnecting the burgalar alarm siren - the siren never goes off so I can't be being burgled. And hey, if I DO get burgled multiple times I will not know about it as the warning siren will never go off.

0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
Comment Utility
I dont know what do you mean by "needleboy".

then, adding the wireless range to TMG internal network is more secure than disabling spoof attack detection on TMG server.

>>"Here is another thing. TMG is connected to the ADSL router with the NIC set as 192.168.0.2/24 and as you can see this is the same network rage being in used for the wireless clients. I’m guessing that you cannot add 192.168.0.0 to be a privet network in TMG?! "

thats true, you cant have 192.168.0.x range on internal network since this range is directly attached to external NIC.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
Comment Utility
Sorry for "I dont know what do you mean by "needleboy"."

I have just released that it is a member account name.

sorry again.
0
 
LVL 1

Author Comment

by:Olevo
Comment Utility
Summarising all info above, here is my plan of action. Please correct me if I wrong.

1. Enabling the IP Spoof Detection back on TMG
2. Because of wireless subnet (192.168.0.0./24) we need to change external (public) TMG interface (currently set as 192.168.0.2/24) to be different, let’s say -10.0.0.1
3. Installing additional network card in TMG and assigning 192.168.0.x address to it.
4. Adding wireless range (192.168.0.0/24) to the Internal Network
5. Perhaps, some additional rules in TMG need to be created?!

Did I miss anything?
0
 
LVL 1

Author Comment

by:Olevo
Comment Utility
I’m guessing that I have missed one step between 3 and 4. Which is connecting new nic to the wireless range
0
 
LVL 4

Assisted Solution

by:needleboy
needleboy earned 200 total points
Comment Utility
Don't install another NIC. Simpy add subnet 192.168.0.0/24 to internal properties box you posted above.
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
Comment Utility
agree with needleboy.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
As I asked/stated in my very first post.
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 100 total points
Comment Utility
needleboy:
Don't install another NIC. Simpy add subnet 192.168.0.0/24 to internal properties box you posted above.


AND,...add a route to the Routing table on the ISA/TMG machine that tells it to use 176.16.0.10 as the gateway to get to the 192.168.0.x network

route add -p 192.169.0.0 mask 255.255.255.0 172.16.0.10
0
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
Olevo:
TMG is not directly connected to the router.  192.168.0.10 is the IP interface of the router connected to the Wireless LAN and 172.16.0.10 is router interface to the LAN


Yes the ISA is directly connected to that LAN router.  The Internal Nic and the router interface are in the same subnet,...that,...by definition,...means they are directly connected,...it makes no difference how many hubs, switch, etc, are between them.
0
 
LVL 1

Author Comment

by:Olevo
Comment Utility
To minimise the impact of distractions to the wireless clients we need to leave DHCP wireless scope settings “as is”. However, I can change TMG external interface (ADSL connection). Or, maybe I don’t need to change anything for TMG?! Here is why. Currently IP scope for the wireless client is set to be 192.168.100.0/22 (mask: 255.255.252.0) and TMG external nic is set to 192.168.0.2/24 (mask: 255.255.255.0) Sorry, my network diagram is a bit wrong here, router nic for the wireless network currently is set as 192.168.100.1 (on diagram showing as 192.168.0.10) My IP sub-netting skills probably a bit rusty now but… from what I can see here, wireless clients will be always having IP address between 192.168.100.1 and 192.168.103.254 (total hosts: 1,022) with gateway of 192.16.100.1 and TMG external nic will be inside 192.168.0.1 and 192.168.0.254 range (total hosts: 254) with gateway of 192.168.0.1 (ADSL modem) Even though both IP ranges belong to class C network they are on different subnets, are they?!
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Absolutely
0
 
LVL 1

Author Comment

by:Olevo
Comment Utility
All ok now. All I did is (per keith_alabaster advice) added IP address range of wireless clients 192.168.100.1 - 192.168.102.254 to the properties of internal network. Plus, as  pwindell advised, added static route to the 192.168.100.0 network that uses a subnet mask of 255.255.252.0 and a gateway of 172.16.101.1
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 200 total points
Comment Utility
"Are all of the IP addresses associated with both the Wireles subnet and the wired lan subnet included in the local address table of the TMG internal NIC via the FTMG GUI including the .0 and the .255 addresses?"

Don't forget that addreeses in the gui - internal network properites addresses should inlude the .0 and the .255 addresses but glad it has moved forward.
0
 
LVL 1

Author Comment

by:Olevo
Comment Utility
Sorry, I was very busy and didn’t have time to go through points assignments. Will do it shortly.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

This article is focussed on erradicating the confusion with slash notations. This article will help you identify and understand the purpose and use of slash notations. A deep understanding of this will help you identify networks quicker especially w…
This article is a step by step guide on how to create a basic PTP link using Ubiquiti airOS devices. This guide can be used on the following Ubiquiti AirMAX devices. Nanostation, Bullets, AirBridge, Nanobeam, NanoBridge to name a few. Please review …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now