ForeFront TMG as Hyper-V guest
I'm using TMG in a Win 2008 Hyper-V virtual environment using a physical server (Athlon 64 x2- 5600+/8GB Ram/Dual NIC) and setup a lab environment with the following configuration:
DNS server(also Domain PDC server): Win08 STD, One Virtual NIC (IP:192.168.3.1/255.255.255.0 GW:192.168.3.254)
TMG Server: Win 2008 STD (stand alone domain member), Dual virual NICs: Public nic (IP:192.168.2.254/255.255.255.0 GW:192.168.1.254 NO DNS IP) and Local NIC(IP:192.168.3.254/255.255.255.0 DNS:192.168.3.1 No GateWay IP)As it's suggested by Microsoft, the TMG server is refering to internal DNS server on Local NIC and has just one Gateway on Public NIC.
What I'm experiencing is that I can not lookup DNS records on both (virtual) servers and because of that I don't have internet access on both TMG and DNS server.I noticed when I'm doing a nslookup on DNS server (or TMG) the TMG logs show all the requests from DNS server denied by Default rule (that denies all traffics) Then I created an Allow policy to allow DNS requests (port 53) from Internal network to External networks. Now I see that the nslookup initiated requests comming from DNS server are getting allowed to the external DNS server (192.168.1.254) by the new policy but the closing response is not getting back from the external DNS and because of that the DNS lookup fails.
I thought TMG should allow DNS lookups by default using system policies (like what ISA 2006 was doing) and if not, then why it's still not working after creation of the allow DNS policy?
I thought maybe it's because I'm using TMG as virtual and did a reseach and followed on the direction to set EnableTCPA and EnableRSS to (DWord) 0 and disabled task offload for both NICs on TMG virtual but still no luck. I wonder if anybody have the solution and can help with this.
All Replies
- Hi Mike.N1,
I have the same situation as what you have: TMG on a virtual machine (Hyper-V). Same problem with DNS settings. When I set the default gateway on my DNS server to TMG (instead of my ISA server), DNS cannot resolve the specified forwarders and after a few minutes, TMG totally hangs 100% cpu. I cannot do anything else other then reset TMG. - I was hoping someone from Microsoft would help with this issue or at least let us know if TMG as a guest in Windows 2008 Hyper-v is supported/tested or not? and if yes, what is the supported scenario or configuration?
- Having same problem here. Is current version of TMG worked for anyone? Work around?
- TMG, like ISA Server before it, installs in "network brick" mode - IOW "none shall pass".
As with ISA Server, system policies only allow traffic to or from the firewall; not across it.
If you want traffic to cross TMG, you have to create policies that allow it.
Mike.N1 - You stated that you see DNS traffic crossing ISA destined for 192.168.1.254. Since this is the ISA external IP, I have to ask, do you have DNS services running on the ISA? If not, I would expect to see no responses.
Jim Harrison Forefront Edge CS - Hendrickde,
Thi is a known problem in pre-releast TMG only.
This is fixed in EBS and TMG MBE.
Jim Harrison Forefront Edge CS- Proposed As Answer byJim Harrison IsaDewd Sunday, January 04, 2009 6:44 PM
All
I have solved my DNS (access rule) problem...
Looking into the netork sets created after my install all didn't look well - I had taken the "back firewall" configuration option during the network configuration wizard as this fits my test environment. This resulted in the internal network correctly representing the my internal LAN stuff, but the permieter network included all other networks (including internet & all other private ranges). This is not what I wanted from the config as I wanted to be able to define rules to the perimeter (DMZ) differently from those to the internet. Anyway, I attempted to re-run the wizard, but no joy as it kept getting right to the end and then erroring out.
So, I've uninstalled the previous install of TMG & reinstalled, this time selecting "edge" as the topology in the network configuration wizard. Now everything (DNS forwarder rules, Web etc) are all working as expected.
I would be interested to know if anyone else experiencing the DNS (or any other access rule) problems under the hyper-v guest scenario has installed using the same topology that I did originally, as my findings suggest they may be the source of the problem. This topology caused me issues both when TMG was installed on the parent or the guest.
Apologies if this is a known issue with beta 2, but having just had a quick look through the release notes I can't see anything specific that relates to it.
Douks- This sounds more like a simple miscofiguration than anything else.
Changing the network template also changes a great deal about how TMG behaves in the network structure.
Without seeing the details of "before " and "after", it's impossible to say exactly what the root problem may have been, but I feel comfortable saying that it wasn't Hyper-V related.
Jim Harrison Forefront Edge CS- Proposed As Answer byJim Harrison IsaDewd Thursday, July 23, 2009 3:49 PM
