?
Solved

Connect to Internet from Windows server 2008

Posted on 2012-04-06
30
Medium Priority
?
460 Views
Last Modified: 2012-05-13
When trying to exchange the old gateway server OS 2003 to a new server with OS 2008 I have problems to connect to the internet from the OS-2008 server despite I can ping the gateway. In OS-2003 you have the option "Connect using a broadband connection that is always on" which is missing in OS-2008. The only option I have is "Connect using a broadband connection that requires a username and a password", which is also an option in OS-2003. When I use the available option in OS-2008 and leave username and password blank I receive an error and no connection is established. Both servers NIC are configured identically (fix ip-address: 10.1.1.1, subnet mask 255.255.255.0 and default gateway 10.1.1.254) but not connected at the same time. For testing I move the ethernet cable from one server to the other. What can I do?
0
Comment
Question by:AndHof
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 14
  • 11
  • 4
  • +1
30 Comments
 
LVL 6

Expert Comment

by:Raquero
ID: 37816646
What do you mean by "gateway server?"

You should not have to use the new connection wizard as you already have a network interface configured. When you say you can ping the "gateway" what is that?
0
 
LVL 24

Expert Comment

by:Dirk Kotte
ID: 37816649
i think there are many things to do.
first think about the role thge server should have.
- if the server should be the gateway for others there must be some kind of routing or proxy.
 (are some applications at your old server?
0
 
LVL 24

Expert Comment

by:Dirk Kotte
ID: 37816663
if you connect the LAN-interface and can ping the gateway (10.1.1.254) you should also be able to ping (or traceroute)
www.heise.de (or the ip 193.99.144.85)
if you only are able to ping the IP you need a dns-entry.

please describe your current environment.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 

Author Comment

by:AndHof
ID: 37816685
Answer to dkotte: The old server has an ISA installed and works as a gateway for the internal network to the internet. The configuration looks like this. Internet-> (cable connection with fix ip-address)->broadband modem->Cisco firewall->Old "gateway"-server->LAN. I think the gateway 10.1.1.254 is the gateway located in the Cisco firewall.
0
 
LVL 24

Expert Comment

by:Dirk Kotte
ID: 37816707
the ISA (now TMG) is a Firewall.
you can't replace this device with a simple Windows2008r2 Server.
0
 

Author Comment

by:AndHof
ID: 37816708
The server I call the "gateway server" has 2 NIC's, one connected to the Cisco firewall and one to the LAN.
0
 
LVL 6

Expert Comment

by:Raquero
ID: 37816714
AndHof, dkotte is correct. You will need to upgrade to Forefront Threat Management Gateway 2010.

Trial version:http://technet.microsoft.com/en-us/evalcenter/ee423778.aspx
0
 
LVL 24

Expert Comment

by:Dirk Kotte
ID: 37816716
if you also have a cisco firewall - you have a 2 Firewall-design with a DMZ between the devices.
0
 

Author Comment

by:AndHof
ID: 37816718
I have installed TMG in the new server and migrated ISA settings to Forefront
0
 
LVL 24

Expert Comment

by:Dirk Kotte
ID: 37816737
ok, if you configured/migrated the old ISA settings...
try to ping the things i posted above - from the TMG.
0
 
LVL 6

Expert Comment

by:Raquero
ID: 37816754
You can also run the best practice analyzer which will inspect your configuration and may point to where the problem is: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=811
0
 

Author Comment

by:AndHof
ID: 37816766
I can ping 193.99.144.85 from both servers
0
 
LVL 6

Expert Comment

by:Raquero
ID: 37816789
You have connectivity to the internet then but cannot access web sites from a browser?

Download and run the BPA http:#a37816754 . It will run specific tests and help you narrow this down.
0
 

Author Comment

by:AndHof
ID: 37816792
If the dmz is between I do not know. I have not set it up. However The cable from the broadband modem is connected to the Cisco PIX and one outlet frpm the PIX is connected to the ISA-server and one outlet is connect to our webpage-server (it is named on the cable dmz)
0
 
LVL 13

Expert Comment

by:Sandy
ID: 37816818
Did you check for Adv Windows Firewall, It might be On and denying the traffic.
0
 
LVL 24

Expert Comment

by:Dirk Kotte
ID: 37817107
can you ping www.heise.de also?
can you access the ip 193.99.144.85  via webbrowser?

if you cannot ping the name but access the ip with webbrowser you have to setup the name resolution (DNS) ate the TMG.

are you able to access your own Webserver by ip or name?
0
 

Author Comment

by:AndHof
ID: 37818529
I can either ping www.heise.de or access ip 193.99.144.85 via webbrowser. I can access our webserver by name (return local DMZ ip-no). I can ping DMZ ip-no for the web-server but I cannot ping the global web-server ip-no
0
 

Author Comment

by:AndHof
ID: 37818550
What does it mean to setup DNS at the TMG? The NIC facing Cisco PIX does not have any DNS-server specified in the fully working old 2003-server.
0
 
LVL 24

Expert Comment

by:Dirk Kotte
ID: 37818838
every server need DNS to resolve internet-names to Ip addresses.
If you try to ping www.heise.de and the answer are 193.99.144.85 is not reacheble the nameresolution works.
also "nslookup www.heise.de" should present this IP.
if you are not able to access the webpage via IP (in this case the nameresolution cant be the problem) - which message you receive?
Are the error-message from the TMG?

i think the error are related to the ISA/TMG. I would suggest to add the matching topic.
0
 

Author Comment

by:AndHof
ID: 37818876
If I run the old 2003-ISA-server, the connection to the internet is fast but if I disconnect the LAN-NIC-cable the connection to the internet is not possible any longer despite the NIC facing Cisco is still connected, i.e. the connection to the internet is untouched. If I connect the cable to the LAN-NIC again the connection to the internet is immediately. What does the internal LAN do in order to brows the internet?
If I run the TMG-server and try to connect the internet it fails as described before. If I run the diagnostic option on the failured web page the result is: The DNS server isn’t responding.
The TMG-server is a member of the LAN-domain. The DNS of the TMG-server
0
 

Author Comment

by:AndHof
ID: 37818934
The 2003-ISA-server does not have any preferred DNS-servers and therefore I did not configure the NIC with any either. After googling on the DNS-subject I found a discussion about almost the same subject as my problem. The proposal was to enter 208.67.222.222 and 208.67.220.220 as preferred DNS-servers on the gateway. I did this on my NIC facing Cisco and immediately I could brows the internet from the 2008-TMG-server. However, now I have moved the problem to the LAN-computers. When I try to brows internet from my LAN-computer I cannot do this and after diagnostic search the answer becomes the same as before for the 2008-TMG-server, The DNS-server isn't responding.
0
 
LVL 24

Expert Comment

by:Dirk Kotte
ID: 37818942
you should have one (or two) internal DNS server within the domain.
this server should be configured at the client computers.
this server should have an entry for the "DNS-forwarder". This is the external DNS-Server (possible 208.67.222.222)
your internal dns-server have to reach the external DNS-server.
try from your local DNS-Server
- nslookup
- server 208.67.222.222
- www.heise.de

this should work for the internal DNS if this server should resolve the names for the clients.
0
 

Author Comment

by:AndHof
ID: 37820730
I discovered that the problem now is that I cannot ping the TMG-server from the LAN-computers. I suppose it's therefore the LAN-computers cannot reach the internet (the LAN-computers do not "see" the gateway.  I have unistalled and installed the TMG 3 times in order to be sure I have not missed anything. The second time I installed the program I started to make the configuration by using the TMG starting wizard and before I imported the settings from the ISA-server. This turned out to be a misstake. When I tried to import the ISA-settings an error occured saying something like "No CA certificate selected for https forward bridges". The importation must be done before you run the starting configuration wizard. So this I did the third time I installed the software. This make me beleave that the TMG-server is configured exactly as the ISA-server. I still have the suspicion that there is something in the LAN settings which makes the ISA-server working. I have not yet got an answer why the ISA server must be connected to the LAN in order to reach the Internet. As soon as I disconnect the LAN-cable and just some seconds after the internet is no longer reachable. I have looked into the DNS-server (active in the domain controller server (SBS 2003) in our LAN) but I cannot see any item with an external DNS which the ISA server uses for reachning the internet (as I said before the NIC facing external does not have any Preferred DNS-servers configured).
0
 
LVL 24

Expert Comment

by:Dirk Kotte
ID: 37821016
possible the TMG (a good firewall) dont let you ping the device.
after trying to ping look to the arp cache.
if there are an entry with the MAC- and IP-Address of your TMG - you are able to reach this device. Then the TMG only dont answer you.
but im not an TMG-Specialist.
if your DNS has no forwarder-entries ... i think the DNS goes to the dns-root-servers and search the name frome there.
this also can work, but the DNS then has to access many different servers. At the TMG should be a rule like this: "your DNS-Server to ANY service DNS"
0
 
LVL 24

Expert Comment

by:Dirk Kotte
ID: 37821077
... "arp -a" displays the arp cache ...
0
 

Author Comment

by:AndHof
ID: 37826460
Thank you for your proposals. I will not be in the office the next coming 1-2 weeks. I will continue the work when I'm back.
0
 

Author Comment

by:AndHof
ID: 37932156
I'm back in the office and have almost forgotten this issue. However I think I see what is the problem but do not know how to resolve it. The old ISA server has 2 NICs. One called internal and one called external. The external is configured with a static ip-address 10.1.1.1, subnet 255.255.255.0 and a gateway 10.1.1.254. No preferred or alternate DNS server is specified. The internal NIC is connected to the LAN.
The NIC called external is connected to the Cisco Pix->Broadband modem->ISP and has a fix ip address 10.1.1.1, subnet mask 255.255.255.0 and a default gateway 10.1.1.254. No preferred or alternate DNS server is specified. However under Advanced -> IP-settings there is more IP-addresses specified: 10.1.1.1, 10.1.1.2, 10.1.1.3, 10.1.1.4 and 10.1.1.5.

The new TMG server has also 2 NICs and I have configured the TCP/IP settings exactly the same.

Here follows some findings:
Old ISA server is connected to the LAN and the Cisco Pix
I reach internet emediately from ISA server and LAN clients. I can ping 10.1.1.1-10.1.1.5 from ISA server and LAN clients. I can ping the external gateway 10.1.1.254 from the ISA server and the LAN clients.

New TMG server is connected to the LAN and the Cisco Pix
I do not reach internet from the TMG server. However, if I specify the DNS servers given by the ISP as the preferred or alternate DNS servers in the external NIC I reach the internet. I can ping 10.1.1.1-10.1.1.5 from TMG server and LAN clients. I can ping the external gateway 10.1.1.254 from the TMG server but not from the LAN clients.

It seemsed to be the fact I cannot ping 10.1.1.254 from the LAN clients which makes it impossible to reach internet from the LAN clients. What can be the problem? Why do I have to specify preferred or alternate DNS servers for the external NIC of the TMG server when I do not need it for the old ISA-server in order to reach internet from the server? Where is the gateway 10.1.1.254 located? In the Pix?
0
 
LVL 24

Expert Comment

by:Dirk Kotte
ID: 37932858
the gateway 10.1.1.254 are located at the PIX.

look to the log at the asa. There you should see, why the LAN-Clients are unable to ping the PIX.

possible the ISA are the only device, which are able to ping/access the PIX and internet.

the only possible connection over ISA using NAT.
Means: PIX see every connection sourced by the ISA.
The TMG con use routing without NAT also.
means: (possible) PIX see packets sourced by internal LAN-clients.
this should be visible at the Pix-logs.

if this is the problem you have to configure NAT at the TMG or extend the range of allowed clients at the PIX.
0
 

Accepted Solution

by:
AndHof earned 0 total points
ID: 37942898
It was a TMG issue. I had only alllowed http and https traffic from internal to external and not the DNS request. When I changed "This rule applies to All outbound traffic" instead of selected protocols HTTP and HTTPS it works fine.
0
 

Author Closing Comment

by:AndHof
ID: 37961930
I found the solution. What else could I say? However I gave myself the lowest grade for the correct answe.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question