Sign in
 
HomeProductsLibraryLearnDownloadsSupportForums
Microsoft Forefront TechCenter >
TMG 2010 Allow PING (ICMP)

Answered TMG 2010 Allow PING (ICMP)

  • Wednesday, November 14, 2012 8:10 PM
     
     
    Sign In to Vote
    0

    Hello,

    I am having an issue with getting my TMG (EE) server to allow PING from a client on the same subnet. This is a lab enviornment, but the same thing is happening my production enviornment. I am attempting to allow PINGs from CLIENT01 to get to TMG01 and allow TMG01 to respond back to CLIENT01. When I ping the TMG server, I get no reply on the client. I see this traffic on the TMG live log and it's is being DENIED by the default rule. See attached image. Am I missing something here? I've even tried creating an access rule and no luck.

    Details:

    -Single NIC on TMG01

    -Only Firewall Policy is the Default Deny policy

    -CLIENT01 has been added to Remote Management Computers computer set

    -Verified the System Policy Editor has ICMP (Ping) enabled and has Remote Management Computers in the FROM tab

    -System Policy Rule:

    Name: Allow ICMP (PING) requests from selected computers to Forefront TMG

    Action: Allow

    Protocols: PING

    From/Listener: Enterprise Remote Management Computers & Remote Management Computers

    To: Local Host

    Condition: All Users

    Policy: System


    • Edited by barocky82 Wednesday, November 14, 2012 8:12 PM
    •  
     

All Replies

  • Thursday, November 15, 2012 7:12 AM
     
     
    Sign In to Vote
    0

    Hi,

    please check the TMG live logging to see which Firewall Policy rules blocks the request.
    Is it possible to Ping the client from the TMG Server?

    regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de

     
  • Thursday, November 15, 2012 12:35 PM
     
     
    Sign In to Vote
    0

    Hi Marc,

    Thanks for the reply. I am able to ping CLIENT01 from TMG01 just fine, but not the other way around. The default policy rule is blocking the traffic. Further, when I disable the TMG firewall (net stop fweng /y), I am able to ping TMG01 from CLIENT01 just fine - as expected.

    Any help is appreciated!

     
  • Thursday, November 15, 2012 4:56 PM
     
     
    Sign In to Vote
    0

    Just create an access rule to allow PING or any traffic you desire from internal to local host. Very easy..

    Create access rule, 

    Allow

    Selected Protocols = PING

    From/Source = Internal

    To/Destination = Local Host

    Finish and Apply..

    Done and done

     
  • Friday, November 16, 2012 6:10 AM
    Moderator
     
     Answered
    Sign In to Vote
    0

    Hi,

    Thank you for the post.

    As far as I know, web proxy client only supports HTTP, HTTPS, and FTP for download requests. For non-TCP or UDP protocol(ICMP), you need configure Secure NAT client whereas it is not supported in single NIC mode: http://technet.microsoft.com/en-us/library/cc995236.aspx

    Regards,

    Nick Gu - MSFT