Solved

Connect to Internet from Windows server 2008

Posted on 2012-04-06
30
400 Views
Last Modified: 2012-05-13
When trying to exchange the old gateway server OS 2003 to a new server with OS 2008 I have problems to connect to the internet from the OS-2008 server despite I can ping the gateway. In OS-2003 you have the option "Connect using a broadband connection that is always on" which is missing in OS-2008. The only option I have is "Connect using a broadband connection that requires a username and a password", which is also an option in OS-2003. When I use the available option in OS-2008 and leave username and password blank I receive an error and no connection is established. Both servers NIC are configured identically (fix ip-address: 10.1.1.1, subnet mask 255.255.255.0 and default gateway 10.1.1.254) but not connected at the same time. For testing I move the ethernet cable from one server to the other. What can I do?
0
Comment
Question by:AndHof
  • 14
  • 11
  • 4
  • +1
30 Comments
 
LVL 6

Expert Comment

by:Raquero
Comment Utility
What do you mean by "gateway server?"

You should not have to use the new connection wizard as you already have a network interface configured. When you say you can ping the "gateway" what is that?
0
 
LVL 23

Expert Comment

by:Dirk Kotte
Comment Utility
i think there are many things to do.
first think about the role thge server should have.
- if the server should be the gateway for others there must be some kind of routing or proxy.
 (are some applications at your old server?
0
 
LVL 23

Expert Comment

by:Dirk Kotte
Comment Utility
if you connect the LAN-interface and can ping the gateway (10.1.1.254) you should also be able to ping (or traceroute)
www.heise.de (or the ip 193.99.144.85)
if you only are able to ping the IP you need a dns-entry.

please describe your current environment.
0
 

Author Comment

by:AndHof
Comment Utility
Answer to dkotte: The old server has an ISA installed and works as a gateway for the internal network to the internet. The configuration looks like this. Internet-> (cable connection with fix ip-address)->broadband modem->Cisco firewall->Old "gateway"-server->LAN. I think the gateway 10.1.1.254 is the gateway located in the Cisco firewall.
0
 
LVL 23

Expert Comment

by:Dirk Kotte
Comment Utility
the ISA (now TMG) is a Firewall.
you can't replace this device with a simple Windows2008r2 Server.
0
 

Author Comment

by:AndHof
Comment Utility
The server I call the "gateway server" has 2 NIC's, one connected to the Cisco firewall and one to the LAN.
0
 
LVL 6

Expert Comment

by:Raquero
Comment Utility
AndHof, dkotte is correct. You will need to upgrade to Forefront Threat Management Gateway 2010.

Trial version:http://technet.microsoft.com/en-us/evalcenter/ee423778.aspx
0
 
LVL 23

Expert Comment

by:Dirk Kotte
Comment Utility
if you also have a cisco firewall - you have a 2 Firewall-design with a DMZ between the devices.
0
 

Author Comment

by:AndHof
Comment Utility
I have installed TMG in the new server and migrated ISA settings to Forefront
0
 
LVL 23

Expert Comment

by:Dirk Kotte
Comment Utility
ok, if you configured/migrated the old ISA settings...
try to ping the things i posted above - from the TMG.
0
 
LVL 6

Expert Comment

by:Raquero
Comment Utility
You can also run the best practice analyzer which will inspect your configuration and may point to where the problem is: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=811
0
 

Author Comment

by:AndHof
Comment Utility
I can ping 193.99.144.85 from both servers
0
 
LVL 6

Expert Comment

by:Raquero
Comment Utility
You have connectivity to the internet then but cannot access web sites from a browser?

Download and run the BPA http:#a37816754 . It will run specific tests and help you narrow this down.
0
 

Author Comment

by:AndHof
Comment Utility
If the dmz is between I do not know. I have not set it up. However The cable from the broadband modem is connected to the Cisco PIX and one outlet frpm the PIX is connected to the ISA-server and one outlet is connect to our webpage-server (it is named on the cable dmz)
0
 
LVL 13

Expert Comment

by:Sandy
Comment Utility
Did you check for Adv Windows Firewall, It might be On and denying the traffic.
0
Wish Marketing would stop bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

 
LVL 23

Expert Comment

by:Dirk Kotte
Comment Utility
can you ping www.heise.de also?
can you access the ip 193.99.144.85  via webbrowser?

if you cannot ping the name but access the ip with webbrowser you have to setup the name resolution (DNS) ate the TMG.

are you able to access your own Webserver by ip or name?
0
 

Author Comment

by:AndHof
Comment Utility
I can either ping www.heise.de or access ip 193.99.144.85 via webbrowser. I can access our webserver by name (return local DMZ ip-no). I can ping DMZ ip-no for the web-server but I cannot ping the global web-server ip-no
0
 

Author Comment

by:AndHof
Comment Utility
What does it mean to setup DNS at the TMG? The NIC facing Cisco PIX does not have any DNS-server specified in the fully working old 2003-server.
0
 
LVL 23

Expert Comment

by:Dirk Kotte
Comment Utility
every server need DNS to resolve internet-names to Ip addresses.
If you try to ping www.heise.de and the answer are 193.99.144.85 is not reacheble the nameresolution works.
also "nslookup www.heise.de" should present this IP.
if you are not able to access the webpage via IP (in this case the nameresolution cant be the problem) - which message you receive?
Are the error-message from the TMG?

i think the error are related to the ISA/TMG. I would suggest to add the matching topic.
0
 

Author Comment

by:AndHof
Comment Utility
If I run the old 2003-ISA-server, the connection to the internet is fast but if I disconnect the LAN-NIC-cable the connection to the internet is not possible any longer despite the NIC facing Cisco is still connected, i.e. the connection to the internet is untouched. If I connect the cable to the LAN-NIC again the connection to the internet is immediately. What does the internal LAN do in order to brows the internet?
If I run the TMG-server and try to connect the internet it fails as described before. If I run the diagnostic option on the failured web page the result is: The DNS server isn’t responding.
The TMG-server is a member of the LAN-domain. The DNS of the TMG-server
0
 

Author Comment

by:AndHof
Comment Utility
The 2003-ISA-server does not have any preferred DNS-servers and therefore I did not configure the NIC with any either. After googling on the DNS-subject I found a discussion about almost the same subject as my problem. The proposal was to enter 208.67.222.222 and 208.67.220.220 as preferred DNS-servers on the gateway. I did this on my NIC facing Cisco and immediately I could brows the internet from the 2008-TMG-server. However, now I have moved the problem to the LAN-computers. When I try to brows internet from my LAN-computer I cannot do this and after diagnostic search the answer becomes the same as before for the 2008-TMG-server, The DNS-server isn't responding.
0
 
LVL 23

Expert Comment

by:Dirk Kotte
Comment Utility
you should have one (or two) internal DNS server within the domain.
this server should be configured at the client computers.
this server should have an entry for the "DNS-forwarder". This is the external DNS-Server (possible 208.67.222.222)
your internal dns-server have to reach the external DNS-server.
try from your local DNS-Server
- nslookup
- server 208.67.222.222
- www.heise.de

this should work for the internal DNS if this server should resolve the names for the clients.
0
 

Author Comment

by:AndHof
Comment Utility
I discovered that the problem now is that I cannot ping the TMG-server from the LAN-computers. I suppose it's therefore the LAN-computers cannot reach the internet (the LAN-computers do not "see" the gateway.  I have unistalled and installed the TMG 3 times in order to be sure I have not missed anything. The second time I installed the program I started to make the configuration by using the TMG starting wizard and before I imported the settings from the ISA-server. This turned out to be a misstake. When I tried to import the ISA-settings an error occured saying something like "No CA certificate selected for https forward bridges". The importation must be done before you run the starting configuration wizard. So this I did the third time I installed the software. This make me beleave that the TMG-server is configured exactly as the ISA-server. I still have the suspicion that there is something in the LAN settings which makes the ISA-server working. I have not yet got an answer why the ISA server must be connected to the LAN in order to reach the Internet. As soon as I disconnect the LAN-cable and just some seconds after the internet is no longer reachable. I have looked into the DNS-server (active in the domain controller server (SBS 2003) in our LAN) but I cannot see any item with an external DNS which the ISA server uses for reachning the internet (as I said before the NIC facing external does not have any Preferred DNS-servers configured).
0
 
LVL 23

Expert Comment

by:Dirk Kotte
Comment Utility
possible the TMG (a good firewall) dont let you ping the device.
after trying to ping look to the arp cache.
if there are an entry with the MAC- and IP-Address of your TMG - you are able to reach this device. Then the TMG only dont answer you.
but im not an TMG-Specialist.
if your DNS has no forwarder-entries ... i think the DNS goes to the dns-root-servers and search the name frome there.
this also can work, but the DNS then has to access many different servers. At the TMG should be a rule like this: "your DNS-Server to ANY service DNS"
0
 
LVL 23

Expert Comment

by:Dirk Kotte
Comment Utility
... "arp -a" displays the arp cache ...
0
 

Author Comment

by:AndHof
Comment Utility
Thank you for your proposals. I will not be in the office the next coming 1-2 weeks. I will continue the work when I'm back.
0
 

Author Comment

by:AndHof
Comment Utility
I'm back in the office and have almost forgotten this issue. However I think I see what is the problem but do not know how to resolve it. The old ISA server has 2 NICs. One called internal and one called external. The external is configured with a static ip-address 10.1.1.1, subnet 255.255.255.0 and a gateway 10.1.1.254. No preferred or alternate DNS server is specified. The internal NIC is connected to the LAN.
The NIC called external is connected to the Cisco Pix->Broadband modem->ISP and has a fix ip address 10.1.1.1, subnet mask 255.255.255.0 and a default gateway 10.1.1.254. No preferred or alternate DNS server is specified. However under Advanced -> IP-settings there is more IP-addresses specified: 10.1.1.1, 10.1.1.2, 10.1.1.3, 10.1.1.4 and 10.1.1.5.

The new TMG server has also 2 NICs and I have configured the TCP/IP settings exactly the same.

Here follows some findings:
Old ISA server is connected to the LAN and the Cisco Pix
I reach internet emediately from ISA server and LAN clients. I can ping 10.1.1.1-10.1.1.5 from ISA server and LAN clients. I can ping the external gateway 10.1.1.254 from the ISA server and the LAN clients.

New TMG server is connected to the LAN and the Cisco Pix
I do not reach internet from the TMG server. However, if I specify the DNS servers given by the ISP as the preferred or alternate DNS servers in the external NIC I reach the internet. I can ping 10.1.1.1-10.1.1.5 from TMG server and LAN clients. I can ping the external gateway 10.1.1.254 from the TMG server but not from the LAN clients.

It seemsed to be the fact I cannot ping 10.1.1.254 from the LAN clients which makes it impossible to reach internet from the LAN clients. What can be the problem? Why do I have to specify preferred or alternate DNS servers for the external NIC of the TMG server when I do not need it for the old ISA-server in order to reach internet from the server? Where is the gateway 10.1.1.254 located? In the Pix?
0
 
LVL 23

Expert Comment

by:Dirk Kotte
Comment Utility
the gateway 10.1.1.254 are located at the PIX.

look to the log at the asa. There you should see, why the LAN-Clients are unable to ping the PIX.

possible the ISA are the only device, which are able to ping/access the PIX and internet.

the only possible connection over ISA using NAT.
Means: PIX see every connection sourced by the ISA.
The TMG con use routing without NAT also.
means: (possible) PIX see packets sourced by internal LAN-clients.
this should be visible at the Pix-logs.

if this is the problem you have to configure NAT at the TMG or extend the range of allowed clients at the PIX.
0
 

Accepted Solution

by:
AndHof earned 0 total points
Comment Utility
It was a TMG issue. I had only alllowed http and https traffic from internal to external and not the DNS request. When I changed "This rule applies to All outbound traffic" instead of selected protocols HTTP and HTTPS it works fine.
0
 

Author Closing Comment

by:AndHof
Comment Utility
I found the solution. What else could I say? However I gave myself the lowest grade for the correct answe.
0

Featured Post

Why do Marketing keep bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

Join & Write a Comment

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now