Wednesday, November 14, 2012 8:10 PM
I am having an issue with getting my TMG (EE) server to allow PING from a client on the same subnet. This is a lab enviornment, but the same thing is happening my production enviornment. I am attempting to allow PINGs from CLIENT01 to get to TMG01 and allow TMG01 to respond back to CLIENT01. When I ping the TMG server, I get no reply on the client. I see this traffic on the TMG live log and it's is being DENIED by the default rule. See attached image. Am I missing something here? I've even tried creating an access rule and no luck.
-Single NIC on TMG01
-Only Firewall Policy is the Default Deny policy
-CLIENT01 has been added to Remote Management Computers computer set
-Verified the System Policy Editor has ICMP (Ping) enabled and has Remote Management Computers in the FROM tab
-System Policy Rule:
Name: Allow ICMP (PING) requests from selected computers to Forefront TMG
From/Listener: Enterprise Remote Management Computers & Remote Management Computers
To: Local Host
Condition: All Users
- Edited by barocky82 Wednesday, November 14, 2012 8:12 PM
Thursday, November 15, 2012 7:12 AM
please check the TMG live logging to see which Firewall Policy rules blocks the request.
Is it possible to Ping the client from the TMG Server?
regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de
Thursday, November 15, 2012 12:35 PM
Thanks for the reply. I am able to ping CLIENT01 from TMG01 just fine, but not the other way around. The default policy rule is blocking the traffic. Further, when I disable the TMG firewall (net stop fweng /y), I am able to ping TMG01 from CLIENT01 just fine - as expected.
Any help is appreciated!
Thursday, November 15, 2012 4:56 PM
Just create an access rule to allow PING or any traffic you desire from internal to local host. Very easy..
Create access rule,
Selected Protocols = PING
From/Source = Internal
To/Destination = Local Host
Finish and Apply..
Done and done
Friday, November 16, 2012 6:10 AMModerator
Thank you for the post.
As far as I know, web proxy client only supports HTTP, HTTPS, and FTP for download requests. For non-TCP or UDP protocol(ICMP), you need configure Secure NAT client whereas it is not supported in single NIC mode: http://technet.microsoft.com/en-us/library/cc995236.aspx
Nick Gu - MSFT
- Proposed As Answer by Nick Gu - MSFTMicrosoft Contingent Staff, Moderator Friday, November 23, 2012 5:29 AM
- Marked As Answer by Nick Gu - MSFTMicrosoft Contingent Staff, Moderator Saturday, November 24, 2012 12:07 PM