Adviceable Configuration in Single Network Adapter Scenario.
-
Friday, June 08, 2012 4:06 PM
Hello,
I need a help on TMG.
I have installed TMG on Hyper-V the base server is a Windows Server 2008 Ent Core 64 bit and the Guest is Windows Server 2008 Ent 64 bit (TMG).
We have configured 2 node TMG servers with a Single Array and Synced with each other. We have also enabled NLB on the TMG Server.
We have 4 NIC on the Physical server from which we have done Teaming 2*2. We have 2 Virtual Machine running on the Base Server and we have configured 2 Virtual Network Adapter. One virtual network adapter has been assigned to the TMG server and the other one to the other Virtual Machine.
As I have assigned Single Virtual Network Adapter to my TMG server, so i have configured Single Network Adapter Topology.
We are using the TMG Server just as a forwarder we are not blocking any traffic from Internal Network to the External on the TMG server as we have another device for URL Filtering.
In the URL Filtering Server We have given the NLB IP Address, so the flow goes like from the Client Machine to URL Filtering server and from the URL Filtering server to the TMG and from TMG to the Firewall from the Firewall it goes to the IPS and then the ISP...
I have created a Simple Rule as attached below.
I have installed TMG BPA on the TMG server and i get the below attached Error.
Please let me know the Best Rule to Configure in this scenario if the above one is Incorrect or any other suggestion in this case.
Masterman_777
All Replies
-
Saturday, June 09, 2012 9:44 AM
Hi,
TMG with Single Network Adapter scenario is not aware of the External network. Change the Firewall Policy rule from External to Internal:
http://technet.microsoft.com/en-us/library/cc995236.aspxregards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de
-
Saturday, June 09, 2012 8:07 PMHello Marc,
First of all I will thank you for Replying and the second one is you are doing tremendous work...
Coming back to your Answer Marc, we have an Internal network but in that we have added some local IP of our network for full Internet access. There are some VIP Users to whom we have given full Internet access through TMG by adding the Client IP in the Internal Network.
I want to know that how this Rule will be from what to what???
Marc please if you can share your E-mail ID so that I can explain you about my Network Infrastructure in depth and can configure TMG in a proper manner.Masterman_777
-
Saturday, June 09, 2012 8:14 PM
Hi,
TMG with Single Network Adapter scenario is not aware of the External network. Change the Firewall Policy rule from External to Internal:
http://technet.microsoft.com/en-us/library/cc995236.aspx
regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de
Masterman_777
-
Sunday, June 10, 2012 7:20 AM
Hi,
you can use the Webproxy client to allow / deny access based on users / user groups. Create a user group which is allowed to access the Internet with no restrictions.
regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de
- Proposed As Answer by Nick Gu - MSFTMicrosoft Contingent Staff, Moderator Monday, June 11, 2012 4:56 AM
-
Monday, June 11, 2012 4:56 AMModerator
Hi,
Thank you for the post.
Just added, all outbound traffic is for test purpose. it is not recommended for production environment. You may allow certain protocol and certain network.
Regards,
Nick Gu - MSFT
-
Monday, June 11, 2012 12:24 PM
Hi,
Thank you for the post.
Just added, all outbound traffic is for test purpose. it is not recommended for production environment. You may allow certain protocol and certain network.
Regards,
Nick Gu - MSFT
Masterman_777
-
Monday, June 11, 2012 12:49 PM
Hello Marc,
As suggest i have remove all the Local IP form the Internal Network and created a Rule to allow all Outbound traffic from Local Host to Internal Network and in the Internal Network i have added the IP Range as below.
Internal Network Range:
10.0.0.0 10.255.255.255
172.16.0.0 172.31.255.255
192.168.0.0 192.168.255.255
Rule Created:
After appling these changes i am facing the below mention Error in the Monitoring node:
Configuration changes cannot be loaded by Forefront TMG Services.
Description: Configuration changes saved to the
configuration storage server could not be applied to Forefront TMG services.
After 5 attempts to apply the changes, Forefront TMG postpones any new attempts
to apply these changes, and will only renew attempts when a new configuration is
saved to the configuration storage server. Recent alerts may indicate the reason
for this failure.Configuration Storage Access Blocked
Description: Configuration changes made may result in
loss of connectivity to the configuration storage server MDCINFPXY-2.sci.com and
cannot be applied. This alert is caused by a failure to connect to the Domain
Controller. The error description is: The specified server cannot perform the
requested operation.
The failure is due to error: 0x8007003a
Please suggest now what to do so that everything will be back to normal, Kindly let me know if any additional information are required.Masterman_777
-
Tuesday, June 12, 2012 5:14 AM
Hi,
you can use the Webproxy client to allow / deny access based on users / user groups. Create a user group which is allowed to access the Internet with no restrictions.
regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de
Masterman_777
-
Tuesday, June 12, 2012 6:35 AM
Hi,
you doesn't have to change the IP address ranges of the Internal network. LePut all IP addresses in the internal network like mentioned in the following article:
http://technet.microsoft.com/en-us/library/cc995236.aspxregards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de
-
Tuesday, June 12, 2012 11:58 AM
Hi,
you doesn't have to change the IP address ranges of the Internal network. LePut all IP addresses in the internal network like mentioned in the following article:
http://technet.microsoft.com/en-us/library/cc995236.aspx
regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de
Hello Marc,
Thanks for your Reply.
I have gone through the Link and have addedd the Intenal IP Addresses in the Internal Network. I have created a Rule as Below and added the TMG, NLB, My Local Desktop and the Network Range in which the TMG server rely's..
But now i am facing the below error message while accessing the Internet from my Local Desktop.
Kindly note that I have added my Local Desktop IP in the Internal Network Address for direct Internet access.
Network Access Message: The Page cannot be displayed:
Technical Information (for support personnel)
- Error Code: 502 Proxy Error. Forefront TMG denied the
specified Uniform Resource Locator (URL). (12202) - IP Address: xx.xx.xx.xx
- Date: 6/12/2012 11:13:47 AM [GMT]
- Server: MDCINFPXY-2.sci.com
- Source: proxy
I am also getting below mention Warning in the TMG Server.
1) Description: Forefront TMG detected a network adapter
connected to multiple networks: Address (TMG 2) xx.xx.xx.xx belongs to network
'Internal' and address xx.xx.xx.xx (TMG 1) belongs to network 'External'. Verify that
all the IP addresses on the network adapter are in the same network, or change
the IP addresses on the network adapter.2) Description: Forefront TMG cannot connect to the configuration
storage server Servername.contoso.com for one of the following reasons:
- The configuration storage server is not available.
- There are general networking or authentication issues.
- The firewall policy for the array is incorrectly configured.
For information on resolving these issues, see http://go.microsoft.com/fwlink/?LinkId=37487.Masterman_777
- Error Code: 502 Proxy Error. Forefront TMG denied the
-
Tuesday, June 12, 2012 2:09 PM
Hello,
Just adding some more Warning's...
1) Intra-Array Configuration Error.
Description: The Web Proxy is not enabled on the
network containing the intra-array address, although resolving requests within
an array is enabled.2) Invalid Network AdapterConfiguration.
Description: The Web Proxy is not enabled on the
network containing the intra-array address, although resolving requests within
an array is enabled.Masterman_777
-
Wednesday, June 13, 2012 4:37 AM
Hi,
you doesn't have to change the IP address ranges of the Internal network. LePut all IP addresses in the internal network like mentioned in the following article:
http://technet.microsoft.com/en-us/library/cc995236.aspx
regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de
Masterman_777
-
Thursday, June 14, 2012 5:34 AM
Hi,
you can use the Webproxy client to allow / deny access based on users / user groups. Create a user group which is allowed to access the Internet with no restrictions.
regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de
Masterman_777
-
Friday, June 15, 2012 6:28 AMModerator
Hi,
Thank you for the update.
Please enable the Web proxy listener on the intra-array network.
Regards,
Nick Gu - MSFT
- Proposed As Answer by Nick Gu - MSFTMicrosoft Contingent Staff, Moderator Sunday, June 24, 2012 8:43 AM
.png)
