Bizarre routing behavior when enabling VPN on FMTG 2010

Thursday, April 01, 2010 8:37 PM

0

I am seeing a very strange behavior, which I'll describe here:

- FMTG is set up as a basic edge server. One external interface to the internet, one internal interface to the LAN.
- The server is a member of a domain, hosted in the local subnet 192.168.1.xx that the LAN interface is on.
- I enable SSTP VPN dial-in following the wizard steps in FMTG.
- Clients connect successfully over SSTP and get their IP config via DHCP from the domain controller.

Strange behaviors:
1) Open a command window on the VPN client and do "ping <machine>". Name resolution appears to be very slow, but eventually succeeds, and the ping command continues normally and succeeds eventually. IPCONFIG /ALL on the VPN machine shows nothing out of the ordinary, it's pointing to the DC for DHCP, DNS, and WINS resolution.

2) This is the really disruptive part: Things work fine until the first VPN client connects. Once the VPN client has connected (and then even after they log off), routing on OTHER INTERNAL, NON-VPN clients gets screwed up. Opening a web browser to, say, www.nytimes.com seems to fail (loooong attempt to connect, doing nothing, with the IE toolbar showing that it thinks it's connecting to a local intranet client.)

3) A reboot of the FTMG server seems to be necessary to restore normal operation.

I took a look at the routing tables on both the internal clients and the FTMG machine when it was in this state, but I don't see anything that seems terribly out of whack.

The FTMG Network Rules are set up such that there is a NAT relationship between Internal and External, and a route relationship between localhost and Internal, as well as between VPN Clients and Internal. To keep things simple I avoided adding VPN Clients to the NAT relationship to external, but that didn't seem to have any impact on this behavior.

I'm quite stymied by this behavior and can't reenable VPN unless I can figure out why this is so broken, as it's screwing up normal internet access to other internal clients.

Thanks,
Andy

All Replies

Monday, April 05, 2010 5:35 PM

0

Andy,

Can you provide information :

- How are the internal and external interfaces on the IP stack of your TMG server configured? Do you have an internal gateway set on your TMG server and/or are your pointing to your external DNS servers on your external interface instead of your internal DNS servers?

- When you connect via SSTP for your VPN clients (via the SSTP configuration on the client), do you have the "use default gateway on remote network" checked or unchecked on the VPN client IPv4 properties | Advanced tab ?

An "adapted" (no real IPs to protect the innocent :-)...) IPCONFIG/ALL from one of your VPN clients, your TMG server and perhaps your AD DNS server and a sample LAN-based client may help clear up this a little further

Mylo
Tuesday, April 06, 2010 9:53 AM

Moderator

0

Hi Andy,

Do you have any update about this issue?

Regards,

Nick Gu - MSFT

Wednesday, April 07, 2010 3:28 AM

Sorry for the delay, I was out of town for a few days. Answers follow:

- The TMG Gateway server is a Hyper-V VM on a Win 2008 R2 Enterprise server. The VM is running R2 standard rather than enterprise. The IP config is as follows:

The Internet side adapter is the only VM using the particular physical adapter that connects to the internet. That adapter is not shared with the parent partition. This adapter retrieves its IP address via DHCP, but the DNS server is manually set to point to the domain controller (192.168.1.xxx), which is on the LAN side adapter. The best practices seem to say that the external adapter should have no DNS config at all, but that doesn't seem to be physically possible if you must get your external IP address via DHCP from the ISP, as is the case here. Leaving it blank just causes Windows to set it back to "Automatic" and then it would get a DNS config that points to the ISP's DNS servers. Having it set this way was Shinder's response to my earlier question of how to deal with dynamically allocated ISP IP config on the internet interface.
The DNS server running on the domain controller forwards recursively to the ISP DNS servers for DNS queries it can't resolve locally, which wind up getting routed via NAT through the TMG gateway.
The LAN side adapter uses a different physical adapter, of course, which connects to the LAN.
The LAN side adapter has a static config with no default gateway set, and pointing to the same internal domain controller for DNS.

I don't believe I changed any of the defaults on the SSTP VPN client with respect to the "use default gateway" checkbox. What's it set to normally?

Here's an IPCONFIG from the TMG server:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : FTMG
   Primary Dns Suffix  . . . . . . . : OneAcreWood.local
   Node Type . . . . . . . . . . . . : Peer-Peer
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : OneAcreWood.local

Ethernet adapter LAN Side:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Adapter #2
   Physical Address. . . . . . . . . : 00-xx-xx-xx-xx-xx
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::xxxx:xxxx:xxxx:xxxx%12(Preferred) 
   IPv4 Address. . . . . . . . . . . : 192.168.1.x(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 
   DHCPv6 IAID . . . . . . . . . . . : xxxxxxxxx
   DHCPv6 Client DUID. . . . . . . . : xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx
   DNS Servers . . . . . . . . . . . : 192.168.1.yy
   Primary WINS Server . . . . . . . : 192.168.1.yy
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Internet Side:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Adapter
   Physical Address. . . . . . . . . : xx-xx-xx-xx-xx-xx
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::xxxx:xxxx:xxxx:xxxx%11(Preferred) 
   IPv4 Address. . . . . . . . . . . : 98.117.xxx.xxx(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Tuesday, April 06, 2010 7:51:11 AM
   Lease Expires . . . . . . . . . . : Tuesday, April 06, 2010 9:51:24 PM
   Default Gateway . . . . . . . . . : xx.xxx.xxx.1
   DHCP Server . . . . . . . . . . . : xx.xxx.xxx.1
   DHCPv6 IAID . . . . . . . . . . . : xxxxxxxxx
   DHCPv6 Client DUID. . . . . . . . : xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx
   DNS Servers . . . . . . . . . . . : 192.168.1.yy
   Primary WINS Server . . . . . . . : 192.168.1.yy
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

The DNS server/Domain controller:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : OAW-HYPERV
   Primary Dns Suffix  . . . . . . . : OneAcreWood.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : OneAcreWood.local

Ethernet adapter Connection to Virtual LAN:

   Connection-specific DNS Suffix  . : OneAcreWood.local
   Description . . . . . . . . . . . : LAN Side Virtual Network
   Physical Address. . . . . . . . . : 00-zz-zz-zz-zz-zz
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Site-local IPv6 Address . . . . . : fec0:1ac0::xx%1(Preferred) 
   Site-local IPv6 Address . . . . . : fec0:1ac0::xxxx:xxxx:xxxx:xxxx%1(Preferred) 
   Lease Obtained. . . . . . . . . . : Saturday, April 03, 2010 1:56:51 PM
   Lease Expires . . . . . . . . . . : Wednesday, April 07, 2010 1:56:53 AM
   Link-local IPv6 Address . . . . . : fe80::xxxx:xxxx:xxxx:xxxx%18(Preferred) 
   IPv4 Address. . . . . . . . . . . : 192.168.1.yy(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : xxxxxxxxx
   DHCPv6 Client DUID. . . . . . . . : xxxxxxxxxxxxxxxxxxxxxxxxxxx
   DNS Servers . . . . . . . . . . . : fec0:1ac0::yy%1
                                       ::1
                                       192.168.1.yy
                                       127.0.0.1
   Primary WINS Server . . . . . . . : 192.168.1.yy
   NetBIOS over Tcpip. . . . . . . . : Enabled
   Connection-specific DNS Suffix Search List :
                                       OneAcreWood.local

Tunnel adapter isatap.{13A1DBF7-BE5C-473A-AF01-64D0F88F5DB9}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : OneAcreWood.local
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 12:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

A typical LAN client:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : Andrewsi-home
   Primary Dns Suffix  . . . . . . . : OneAcreWood.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : OneAcreWood.local
   System Quarantine State . . . . . : Not Restricted


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : OneAcreWood.local
   Description . . . . . . . . . . . : Marvell Yukon 88E8056 PCI-E Gigabit Ethernet Controller
   Physical Address. . . . . . . . . : 00-zz-zz-zz-zz-zz
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Site-local IPv6 Address . . . . . : fec0:1ac0::zzzz%1(Preferred) 
   Lease Obtained. . . . . . . . . . : Thursday, April 01, 2010 1:22:40 PM
   Lease Expires . . . . . . . . . . : Wednesday, April 07, 2010 6:58:28 AM
   Link-local IPv6 Address . . . . . : fe80::qqqq%11(Preferred) 
   IPv4 Address. . . . . . . . . . . : 192.168.1.n(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Thursday, April 01, 2010 1:22:39 PM
   Lease Expires . . . . . . . . . . : Tuesday, April 06, 2010 9:22:42 PM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.yy
   DHCPv6 IAID . . . . . . . . . . . : xxxxxxxxx
   DHCPv6 Client DUID. . . . . . . . : xxxxxxxxx
   DNS Servers . . . . . . . . . . . : fec0:1ac0::yy%1
                                       ::1
                                       192.168.1.yy
   Primary WINS Server . . . . . . . : 192.168.1.yy
   NetBIOS over Tcpip. . . . . . . . : Enabled
   Connection-specific DNS Suffix Search List :
                                       OneAcreWood.local

I'll have to add the config of one of the VPN clients later: I've temporarily disabled the VPN access through the TMG gateway to avoid creating problems for the LAN users.

Wednesday, April 07, 2010 3:32 AM

0

See above, just added details - I was out of town for a few days.
Wednesday, April 07, 2010 8:12 AM

Moderator

0

Hi,

Thank you for the post.

Please remove the DNS settings on external interface of the TMG server. Just point to the internal DNS server on internal interface.

Regards,
Nick Gu - MSFT
Wednesday, April 07, 2010 3:50 PM

0

As I explained earlier, you _can't_ remove the DNS settings on the external interface. The external interface has to get its IP settings from the ISP using DHCP, it does not have a static address. When you do this, you only have two choices: Manually set a DNS address, or accept the automatic DNS settings the ISP sets via DHCP, but if you leave the DNS fields manual-but-empty, Windows just goes ahead and sets it back to "automatic." Tom Shinder, in a separate post, suggested setting the DNS entry on the external interface, therefore, to the internal DNS server address on 192.168.xx.
Monday, April 12, 2010 8:58 PM

0

Andrew,

Hmmm.. tough break.. you can put a (NAT) router in front of your TMG server, enable DHCP on it and get the settings for your TMG server (without DNS) and use that for the public interface, in effect creating a DMZ compartment between yourself and the router. That way you can avoid configuring DNS within the DHCP scope for that segment and revert to using the internal DNS server on your internal interface. Not ideal I know...

Mylo
Wednesday, April 21, 2010 6:46 PM

0

I think I've narrowed down the issue, but am at a loss how to get around it.

The basic problem is that the autoconfig of proxy for internal clients points to the TMG machine, as you'd expect- for example, an internal client's internet connection settings shows:

- Automatically detect settings
- Use automatic config script: http://<my ftmg machine>:8080/array.dll?getroutingblahblahblah
- Use proxy server: address:<my ftmg machine> port:8080
- Don't use proxy for local addresses.

The FTMG machine has a static address of 192.168.1.1 on the internal adapter. Now, when the first VPN client connects, you can see a message in the system log which says:

"The Remote Access Server acquired IP Address 192.168.1.33 to be used on the Server Adapter."

Once this happens, then launching a web page in IE on any internal client first attempts to connect 192.168.1.33:8080. When that fails (after an annoying 12 second delay), then it seems to set up an RWS connection and then the web access proceeds normally. I have a netmon capture that shows this process. I suspect that the local client's attempts to resolve FTMG to make the proxy connection are resulting in them getting the remote adapter address (192.168.1.33) rather than the intended static address, which is 192.168.1.1 (which is also the default gateway provided by DHCP.)

By disabling all of the proxy settings EXCEPT "automatically detect settings" and by entering the address of the Proxy Client as 192.168.1.1 rather than by name, I THINK I may have cured this.

Update --> I am now sure this is the problem. I took a look at the wpad.dat being offered up by the FTMG machine and it contains this:

DirectNames=new MakeNames();
cDirectNames=1;
HttpPort="8080";
cNodes=1;
function MakeProxies(){
this[0]=new Node("192.168.1.33",4142465342,1.000000); <--- This is the address DHCP assigned to the RAS adapter, not the main adapter for the LAN network on the FTMG machine.

So how do I get FTMG to use the correct address here rather than the address of the PPP RAS Async adapter?
Thursday, April 22, 2010 7:14 PM

0
After some more research I now have a solution.

For some reason, FMTG's code that builds the WPAD.DAT is using the IP address rather than the DNS name. This can be worked around with a tool from isatools.org (http://isatools.org/tools/carpnamesystem.js), which allows you to change a setting so that it uses DNS name instead. Once this is run, the firewall service needs to be restarted, but then the proxy Node property will contain an FQDN instead of an IP address, and the problem is cured (the right way.)

I don't think the setting persists across reboots, so I wrote a quick script to stop RRAS and FWSRV on system startup, run the JS, then restart the services.
- Marked As Answer by AndrewSi Thursday, April 22, 2010 7:14 PM
Thursday, April 22, 2010 8:08 PM

0

Hi Andrew,

This is a known problem with TMG: http://social.technet.microsoft.com/Forums/en/ForefrontedgeIA/thread/2c4e342f-0ab7-4cd7-b007-0f2b0c559704

This script will provide a permanent fix by using a DNS name for the proxy definition in the WPAD.DAT file, rather than having to do the above...

Cheers

JJ

Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
Thursday, April 22, 2010 8:41 PM

0

It appears that the script in that post does effectively the same thing as the one I pointed to. I thought I saw that after a reboot the WPAD.DAT had reverted to the prior behavior, which is what made me think I should script it to reset it after each restart, but perhaps that's not necessary.
Thursday, April 22, 2010 11:16 PM

0

I didn't check your script, but they could be the same.

Just wanted you to know it was a known issue and that is the current recommended workaround ;)

Cheers

JJ
Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

Bizarre routing behavior when enabling VPN on FMTG 2010

All Replies

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support by product

Other support links

Not an IT pro?