Network outside internal not reaching TMG Forefront 2010 (Hyper-V environment)
Posted
by
Pascal
on Server Fault
See other posts from Server Fault
or by Pascal
Published on 2011-01-05T14:44:04Z
Indexed on
2011/01/05
14:55 UTC
Read the original article
Hit count: 346
Below is my environment:
I have 1 physical machine running Windows 2008 R2, with the Hyper-V role. This machine has 3 physical NICs:
- One for Internet
- One for Internal Network
- One for Wireless Network
All 3 have their respective Virtual Networks in Hyper-V, and I have an extra Private virutal machine network for a DMZ Network.
In one of the virtual machines, I have TMG Forefront 2010 SP1 installed, with all 4 networks available to it. Below is the IPCONFIG /ALL at the firewall:
Windows IP Configuration
Host Name . . . . . . . . . . . . : FRW-EXP1-02
Primary Dns Suffix . . . . . . . : exp1.eti.br
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : exp1.eti.br
Ethernet adapter Internet:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Adapter #4
Physical Address. . . . . . . . . : 00-15-5D-01-06-0E
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::6d05:6033:4cfc:bdf5%15(Preferred)
IPv4 Address. . . . . . . . . . . : 189.100.110.xxx(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.240.0
Lease Obtained. . . . . . . . . . : quarta-feira, 5 de janeiro de 2011 11:17:24
Lease Expires . . . . . . . . . . : quarta-feira, 5 de janeiro de 2011 16:07:02
Default Gateway . . . . . . . . . : 189.100.96.xxx
DHCP Server . . . . . . . . . . . : 201.6.2.43
DHCPv6 IAID . . . . . . . . . . . : 436213085
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-6D-75-6F-00-15-5D-01-06-0B
DNS Servers . . . . . . . . . . . : 201.6.2.163
201.6.2.43
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Rede Interna:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Adapter #3
Physical Address. . . . . . . . . : 00-15-5D-01-06-0C
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::51ff:4723:ce4c:bbc3%14(Preferred)
IPv4 Address. . . . . . . . . . . : 10.50.75.10(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 352327005
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-6D-75-6F-00-15-5D-01-06-0B
DNS Servers . . . . . . . . . . . : 10.50.75.1
10.50.75.2
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter DMZ:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Adapter #2
Physical Address. . . . . . . . . : 00-15-5D-01-06-0A
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::d4c5:75cf:e9aa:73e1%13(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.10.1(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 301995357
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-6D-75-6F-00-15-5D-01-06-0B
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Wireless:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Adapter
Physical Address. . . . . . . . . : 00-15-5D-01-06-0B
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::459:8ca6:d02:8da1%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.10(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 234886493
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-6D-75-6F-00-15-5D-01-06-0B
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Enabled
I have the Networks below at Forefront:
External: IP addresses external to the Forefront TMG Networks
Internal: 10.50.75.0 - 10.50.75.255
Local Host:
Perimiter: 192.168.10.0 - 192.168.10.255
Wireless: 192.168.1.0 - 192.168.1.255
In the Networks Rules, I have:
1 => Route => Local Host => All Networks
2 => Route => Quarantined; VPN => Internal
3 => NAT => Internal; VPN => Perimiter
4 => NAT => Internal; Perimiter; Quarantined; VPN; Wireless => External
My problem is that I can only communicate with the Internal and External networks. If a ping www.google.com or 10.50.75.21 from the Forefront VM, I get answer backs without a problem. If I try to ping a machine at the Perimiter network or the Wireless network, it doesn't get routed back to Forefront, and it's the default gateway on all Networks. Here as ping samples:
PS C:\Users\Administrator.TPB1> ping www.google.com
Pinging www.l.google.com [64.233.163.104] with 32 bytes of data:
Reply from 64.233.163.104: bytes=32 time=11ms TTL=58
Reply from 64.233.163.104: bytes=32 time=8ms TTL=58
Ping statistics for 64.233.163.104:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 8ms, Maximum = 11ms, Average = 9ms
Control-C
PS C:\Users\Administrator.TPB1> ping 10.50.75.21
Pinging 10.50.75.21 with 32 bytes of data:
Reply from 10.50.75.21: bytes=32 time=1ms TTL=128
Reply from 10.50.75.21: bytes=32 time=1ms TTL=128
Reply from 10.50.75.21: bytes=32 time=1ms TTL=128
Reply from 10.50.75.21: bytes=32 time=1ms TTL=128
Ping statistics for 10.50.75.21:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms
PS C:\Users\Administrator.TPB1> ping 192.168.10.3
Pinging 192.168.10.3 with 32 bytes of data:
Reply from 192.168.10.1: Destination host unreachable.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.10.3:
Packets: Sent = 4, Received = 1, Lost = 3 (75% loss),
PS C:\Users\Administrator.TPB1>
The ping to the 192.168.10.3 gets the Destination host unreachable. Below is the ipconfig for the perimiter VM:
PS C:\Users\Administrator.Administrator> ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : app-exp1-02
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unkown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Adapter
Physical Address. . . . . . . . . : 00-15-5D-01-06-08
DHCP Enabled. . . . . . . . . . . : No
IPv4 Address. . . . . . . . . . . : 192.168.10.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.10.1
DNS Servers . . . . . . . . . . . : 201.6.2.163
201.6.2.43
Trying to ping 192.168.10.1 ( the gateway ) from the DMZ machine also does not work. When I use Log & Reports to monitor packets from Wireless network and Perimiter network, I don't get any packets link PING or HTTP that I try to send. But I do get a lot of spoofing messages for NETBIOS broadcasts... it's like Forefront thinks it's coming from a different network, but I don't know why. Please Help!
Tks
© Server Fault or respective owner
