I cannot access Internet after configure TMG 2010

[Abid Ghaffar]

I've configured TMG as an Edge Firewall and after configuring I'm unable to access Internet.

Following are the configurations I made:

Internal Network Adapter Settings:

IP: 192.168.1.2

Subnet Mask: 255.255.255.0

Gateway : None

DNS: 192.168.1.1

192.168.1.1 is my Domain Controller where I'm also using DHCP.

External Network Adapter Settings:

IP: 192.168.0.101

Subnet Mask: 255.255.255.0

Gateway: 192.168.0.1

DNS: None

After installation, I added Allow Access rule in Firewal Policy to allow DNS from Internal to External but still I'm unable to access Internet.

Also I can't ping to Router's IP (192.168.0.1) from my Internal Network PC's.

Please can you guide me step by step that how can I configure it properly so I can use Internet from Internal Network.

Where I'm doing mistake.

Please I'll be very thankful.

Waiting for your kind help.

I'm attaching screenshot of what I've configured

[Japlabot]

First pic, remove 0.0.0.0 from default gateway. Pic 2, has no DNS... have you set some DNS forwarders on your DNS server?

[Abid Ghaffar]

  On 18/07/2012 at 04:24, Simon- said:

First pic, remove 0.0.0.0 from default gateway. Pic 2, has no DNS... have you set some DNS forwarders on your DNS server?

Removed 0.0.0.0 (I didn't used these zero, it's empty here) , Yes also set DNS forwarders on DNS Server (192.168.1.1) but nothing worked

[farmeunit]

Your gateway should be your router. Your DNS server should be your Domain Controller.

[pupdawg21]

You need to look at the log on the TMG console in real time. That will show you right away why you aren't getting out since you will probably see TONS of blocked traffic. TMG doesn't allow pinging by default it blocks it. Anything you don't explicitly allow is going to be blocked.

[Abid Ghaffar]

  On 18/07/2012 at 05:02, farmeunit said:

Your gateway should be your router. Your DNS server should be your Domain Controller.

Yes... My Gateway is my Router's IP Address in External Network Adapter

& My DNS Server is my Domain Controller's IP in my Internal Adapter

I'm not an expert...please consider me a newbie & guide me where things went wrong

[Abid Ghaffar]

  On 18/07/2012 at 05:29, pupdawg21 said:

You need to look at the log on the TMG console in real time. That will show you right away why you aren't getting out since you will probably see TONS of blocked traffic. TMG doesn't allow pinging by default it blocks it. Anything you don't explicitly allow is going to be blocked.

I've attached the Log file of TMG 2010 (This is from my virtual network where I'm having the same issue.)

Can you please guide me what I've to do in order to fix this issue.

Log.txtFetching info...

[+BudMan MVC]

took a quick look at the log, having a hard time matching up what the headers say to the data below. Have to take a deeper look.

As to the default gateway comment, yeah looks like on the tmg you have your default route 0.0.0.0 set for both internal and external interfaces.

Why do you say your external interface IP is

External Network Adapter Settings:

IP: 192.168.0.101

But then in your screenshot you show .7?

Also how is this actually connected? And where are your other devices connected. This box physically sits between your router and and your switch were other devices are connected, you have nothing else connected to the router? And the internal interface is connected to the switch were all your other devices are connected too.

Also where is this 192.168.11 network coming from that jumped out at me in the log

- 7/18/2012 3:15:02 PM 192.168.11.121 192.168.11.255 137 NetBios Name Service Denied Connection

- 7/18/2012 3:15:02 PM 192.168.11.121 192.168.11.255 137 NetBios Name Service Denied Connection

- 7/18/2012 3:15:02 PM 192.168.11.121 192.168.11.255 137 NetBios Name Service Denied Connection

- 7/18/2012 3:15:02 PM 192.168.11.121 192.168.11.255 137 NetBios Name Service Denied Connection

- 7/18/2012 3:15:02 PM 192.168.11.121 192.168.11.255 137 NetBios Name Service Denied Connection

- 7/18/2012 3:15:02 PM 192.168.11.121 192.168.11.255 137 NetBios Name Service Denied Connection

You mention virtual, how does that tie into your network?

Also -- why are you setting this up behind a NAT?? An edge firewall should have an interface actually on the edge ;) Not behind a nat. This would normally take the place of your router, so is there some specific reason your setting it up behind nat?

[Abid Ghaffar]

  On 18/07/2012 at 20:50, BudMan said:

took a quick look at the log, having a hard time matching up what the headers say to the data below. Have to take a deeper look.

As to the default gateway comment, yeah looks like on the tmg you have your default route 0.0.0.0 set for both internal and external interfaces.

Why do you say your external interface IP is

External Network Adapter Settings:

IP: 192.168.0.101

But then in your screenshot you show .7?

Also how is this actually connected? And where are your other devices connected. This box physically sits between your router and and your switch were other devices are connected, you have nothing else connected to the router? And the internal interface is connected to the switch were all your other devices are connected too.

Also where is this 192.168.11 network coming from that jumped out at me in the log

- 7/18/2012 3:15:02 PM 192.168.11.121 192.168.11.255 137 NetBios Name Service Denied Connection

- 7/18/2012 3:15:02 PM 192.168.11.121 192.168.11.255 137 NetBios Name Service Denied Connection

- 7/18/2012 3:15:02 PM 192.168.11.121 192.168.11.255 137 NetBios Name Service Denied Connection

- 7/18/2012 3:15:02 PM 192.168.11.121 192.168.11.255 137 NetBios Name Service Denied Connection

- 7/18/2012 3:15:02 PM 192.168.11.121 192.168.11.255 137 NetBios Name Service Denied Connection

- 7/18/2012 3:15:02 PM 192.168.11.121 192.168.11.255 137 NetBios Name Service Denied Connection

You mention virtual, how does that tie into your network?

Also -- why are you setting this up behind a NAT?? An edge firewall should have an interface actually on the edge ;) Not behind a nat. This would normally take the place of your router, so is there some specific reason your setting it up behind nat?

Actually above images are from a real physical network in office but the log file is from my VMWare virtual network. On both places i'm having same problem.

That's why in images, External Adapter's IP is 192.168.0.7

In my log file 192.168.11.2 is my Router's IP which is coming through NAT using wmware network adapter. it's all virtual.

But in real physical environment, I've DSL Broadband Router which also supports NAT. I don't know what's going on??? Which rules I've to configure in order to get Internet access on my client side.

I can access internet on my TMG Server but I can't access Internet on DC & Clients.

[+BudMan MVC]

So how is this VM network setup? Is it on your desktop, is it esxi

"coming through NAT using wmware network adapter"

So your using NAT -- WTF?? So you got what like 3 different nats going on? in your Vm network you have your physical router Nat, you have your PC to VM NAT, then in your VM you have TMG to Clients NAT. And then your trying to access the internet through this VM? From what client? A VM connected to the host only network? What is your VM setup.

So you show us and describe a network from work, but then send us a log from your VM, with no details of how that is configure. We can trouble one or the other. Pick one. And then give us the details.

From your screenshot not even looking at your rules, you can not have 2 different default gateways and expect it to work ;)

Also I would not be blocking first thing. Get that block rule out of there - make sure you actually have internet working before you attempt to block. That rule could be blocking all your http/https traffic.