• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2822
  • Last Modified:

How to configure wireless connection with TMG 2010

Hi there, I need some advice here please.

All company clients (wireless and wired) automatically have their settings (IP address, gateway, etc.) taken from the DHCP server. Everyone is connected to the Internet through UNIX firewall.
 
New TMG 2010 firewall has been recently installed. This firewall is connected to the different ISP provider and will be used exclusively by IT department team. If IT staff member needs to connect to the Internet through TMG all they have to do is to change their IE or Firefox proxy settings. Everything works fine for the IT staff when they use network cable but not on wireless.

Could someone please give me advice on what exactly need to be done so that IT staff can browse the Internet through TMG firewall wirelessly?  As I have mentioned before wireless clients can browse the Internet through UNIX firewall without any problems.

Thanks in advance.
VLAN.jpg
0
Olevo
Asked:
Olevo
  • 9
  • 7
  • 5
  • +2
5 Solutions
 
needleboyCommented:
Hi there,

what's is 192.168.0.10?
IP address of router?
TMG is connected directly to this device?
0
 
Suliman Abu KharroubIT Consultant Commented:
Any spoof attack  detected on TMG server ? from monitoring --> alerts
0
 
Suliman Abu KharroubIT Consultant Commented:
another thing, Can TMG ping any wireless connected pc ?
0
Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

 
OlevoAuthor Commented:
TMG is not directly connected to the router.  192.168.0.10 is the IP interface of the router connected to the Wireless LAN and 172.16.0.10 is router interface to the LAN

This is obvious routing problems for the wireless clients. They have their settings from the DHCP server, but they have no idea about TMG as a gateway. Changing proxy settings in IE to use TMG doesn’t work here. TMG detect this as a spoofed traffic and is blocking all communication from the wireless client.

I’m guessing that something need to be changed in the router or perhaps additional NIC needs to be installed in the TMG firewall and connected to the router (192.168.0.10)
0
 
Suliman Abu KharroubIT Consultant Commented:
please try this first :

http://support.microsoft.com/kb/838114
0
 
OlevoAuthor Commented:
To  Sulimanw:
Thanks for the info. I’ll try that tomorrow at work. Assuming that this “disabling the IP Spoof Detection…” will fix my problem, is that a good idea to not to have IP Spoof Detection at all?! Or, I’m missing something here?!
0
 
Suliman Abu KharroubIT Consultant Commented:
Spoof attack detection :
http://en.wikipedia.org/wiki/ARP_spoofing

in your case, when TMG tries to resolve the source ip address to MAC address, using ARP protocol, it will get the router MAC address (172.16.0.10) and that is not true. so TMG will consider the source ip address as spoofed one.

for sure it is a good idea to keep spoof attack enabled, but in your case, disabling this feature is the only option.


I had the same issue 2 years ago ( on ISA server).
0
 
Keith AlabasterCommented:
Are all of the IP addresses associated with both the Wireles subnet and the wired lan subnet included in the local address table of the TMG internal NIC via the FTMG GUI including the .0 and the .255 addresses?
0
 
needleboyCommented:
You must define network 192.168.0.0/24 as private network in TMG.
Than you can allow wireless clients to accees the internet by creating a firewall rule or modifying existing one.
0
 
OlevoAuthor Commented:
As Sulimanw suggested I have created new registry key to temporary disable the IP Spoof Detection on TMG. No more spoofing alerts in TMG logs, however wireless client still can’t connect to the Internet through the TMG?! This time I can see successful initiated connection from wireless client and strait away connection is close with status: “A connection was abortively closed after one of the peers sent an RST packet”. Wireless clients get their settings from DHCP server. As an example here – Client 2 (IP: 192.168.0.100/24, gateway: 192.168.0.10). The only thing I’m changing here in wireless client is IE browser proxy settings (pointing to 172.16.0.2:8080). Is something else needs to be created/changed on TMG firewall?
 
The “work-around” above is kind of temporary fix for us. I don’t like the idea of disabling the IP Spoof Detection on TMG. I like the needleboy proposal of define network 192.168.0.0/24 as private network in TMG and creating appropriate access rule for it. Now, how, actually you do this? Currently TMG doesn’t have NIC with 192.168.0.x Is that mean I need to install one more NIC in TMG, define it as private and connect to the 192.168.0.0/24 network?

To   keith_alabaster:
Do I need to add wireless range (192.168.0.0/24) to the Internal Properties? Please see at picture provided.
   



Internal.jpg
0
 
OlevoAuthor Commented:
Here is another thing. TMG is connected to the ADSL router with the NIC set as 192.168.0.2/24 and as you can see this is the same network rage being in used for the wireless clients. I’m guessing that you cannot add 192.168.0.0 to be a privet network in TMG?!    
0
 
Keith AlabasterCommented:
If the wireless IP addresses are located on the internal side of the FTMG then yes. If they are located on the external side of FTMG then no. This is what needleboy is telling you as well.

Why would anyone want to turn off spoof detection? This is like disconnecting the burgalar alarm siren - the siren never goes off so I can't be being burgled. And hey, if I DO get burgled multiple times I will not know about it as the warning siren will never go off.

0
 
Suliman Abu KharroubIT Consultant Commented:
I dont know what do you mean by "needleboy".

then, adding the wireless range to TMG internal network is more secure than disabling spoof attack detection on TMG server.

>>"Here is another thing. TMG is connected to the ADSL router with the NIC set as 192.168.0.2/24 and as you can see this is the same network rage being in used for the wireless clients. I’m guessing that you cannot add 192.168.0.0 to be a privet network in TMG?! "

thats true, you cant have 192.168.0.x range on internal network since this range is directly attached to external NIC.
0
 
Suliman Abu KharroubIT Consultant Commented:
Sorry for "I dont know what do you mean by "needleboy"."

I have just released that it is a member account name.

sorry again.
0
 
OlevoAuthor Commented:
Summarising all info above, here is my plan of action. Please correct me if I wrong.

1. Enabling the IP Spoof Detection back on TMG
2. Because of wireless subnet (192.168.0.0./24) we need to change external (public) TMG interface (currently set as 192.168.0.2/24) to be different, let’s say -10.0.0.1
3. Installing additional network card in TMG and assigning 192.168.0.x address to it.
4. Adding wireless range (192.168.0.0/24) to the Internal Network
5. Perhaps, some additional rules in TMG need to be created?!

Did I miss anything?
0
 
OlevoAuthor Commented:
I’m guessing that I have missed one step between 3 and 4. Which is connecting new nic to the wireless range
0
 
needleboyCommented:
Don't install another NIC. Simpy add subnet 192.168.0.0/24 to internal properties box you posted above.
0
 
Suliman Abu KharroubIT Consultant Commented:
agree with needleboy.
0
 
Keith AlabasterCommented:
As I asked/stated in my very first post.
0
 
pwindellCommented:
needleboy:
Don't install another NIC. Simpy add subnet 192.168.0.0/24 to internal properties box you posted above.


AND,...add a route to the Routing table on the ISA/TMG machine that tells it to use 176.16.0.10 as the gateway to get to the 192.168.0.x network

route add -p 192.169.0.0 mask 255.255.255.0 172.16.0.10
0
 
pwindellCommented:
Olevo:
TMG is not directly connected to the router.  192.168.0.10 is the IP interface of the router connected to the Wireless LAN and 172.16.0.10 is router interface to the LAN


Yes the ISA is directly connected to that LAN router.  The Internal Nic and the router interface are in the same subnet,...that,...by definition,...means they are directly connected,...it makes no difference how many hubs, switch, etc, are between them.
0
 
OlevoAuthor Commented:
To minimise the impact of distractions to the wireless clients we need to leave DHCP wireless scope settings “as is”. However, I can change TMG external interface (ADSL connection). Or, maybe I don’t need to change anything for TMG?! Here is why. Currently IP scope for the wireless client is set to be 192.168.100.0/22 (mask: 255.255.252.0) and TMG external nic is set to 192.168.0.2/24 (mask: 255.255.255.0) Sorry, my network diagram is a bit wrong here, router nic for the wireless network currently is set as 192.168.100.1 (on diagram showing as 192.168.0.10) My IP sub-netting skills probably a bit rusty now but… from what I can see here, wireless clients will be always having IP address between 192.168.100.1 and 192.168.103.254 (total hosts: 1,022) with gateway of 192.16.100.1 and TMG external nic will be inside 192.168.0.1 and 192.168.0.254 range (total hosts: 254) with gateway of 192.168.0.1 (ADSL modem) Even though both IP ranges belong to class C network they are on different subnets, are they?!
0
 
Keith AlabasterCommented:
Absolutely
0
 
OlevoAuthor Commented:
All ok now. All I did is (per keith_alabaster advice) added IP address range of wireless clients 192.168.100.1 - 192.168.102.254 to the properties of internal network. Plus, as  pwindell advised, added static route to the 192.168.100.0 network that uses a subnet mask of 255.255.252.0 and a gateway of 172.16.101.1
0
 
Keith AlabasterCommented:
"Are all of the IP addresses associated with both the Wireles subnet and the wired lan subnet included in the local address table of the TMG internal NIC via the FTMG GUI including the .0 and the .255 addresses?"

Don't forget that addreeses in the gui - internal network properites addresses should inlude the .0 and the .255 addresses but glad it has moved forward.
0
 
OlevoAuthor Commented:
Sorry, I was very busy and didn’t have time to go through points assignments. Will do it shortly.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 9
  • 7
  • 5
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now