locked
VPN clients can't connect to internal network RRS feed

  • Question

  • Hi,

    We are currently evaluating TMG 2010 Enterprise sp1, but I'm having problems with vpn connectivity. It's a two node nlb cluster with all the latest patches from WU.

    TMG is connected directly to the internet and internal network. Two different ISPs actually, but I haven't configured the other one yet.

    I can establish PPTP vpn connection and ping both of the TMG-servers, but i cant access any of the resources in the internal network. I think I can also access external addresses with the vpn but only with IP-addresses, since the DNS-servers are in the internal network.

    Only PPTP is enabled for all domain users with max 3 connections, no quarantine.

    VPN address ranges are 10.1.16.1-10.1.16.5 (FW1) and 10.1.16.6-10.1.16.10 (FW2). These addresses are only defined in TMG, so they aren't in any of the routers, internal networks etc.. is that ok?

    Internal network is set to 10.0.0.0-10.0.255.254

    Web Access Rules:

    1: VPN Clients to local host, allow, all outbound, vpn clients, local host, all users

    2: VPN Clients to external, allow, all outbound, vpn clients, external, all users

    3: VPN Clients to internal, allow, all outbound, vpn clients, internal, all users

    4: (Disabled) Blocked Web Destinations, deny, http,https, internal, different url categories, all users

    5: Allow Web Access for All Users, allow, all outbound, internal, external, all users

    Last: Default rule, deny, all traffic, all networks, all networks, all users

     

    Network Rules:

    1: Local host access, route, local host, all networks

    2: VPN clients to internal network, route, quarantined/vpn clients, internal

    3: Internet access, nat, internal/quarantined/vpn clients, external, default ip address

     

    So clearly i'm doing something wrong, which i just can't figure out. I'm going on a three day TMG course, but that's still three weeks away and we need to get VPN working asap. Any ideas where to start checking?

     

    Thanks,

    Petrus

    Monday, August 30, 2010 5:36 AM

Answers

  • Hello Petrus_KL,

    If i understand correctly, you've 2 TMG 2010 Enterprise Edition servers in an Array. This array is configured for Client to Site (Remote Access) PPTP VPN. The VPN address ranges are 10.1.16.1-10.1.16.5 (FW1) and 10.1.16.6-10.1.16.10 (FW2). You can establish PPTP VPN connection and ping both of the TMG Array members but you can't access any of the internal resources.

    When TMG receives traffic from an VPN client destined for a resource in the internal network (10.0.x.x), it will forward the traffic to the target resource. The internal machine which doesn't have a route for the VPN client network (10.1.x.x) will send the traffic to it's Default Gateway (An internal router). In case the internal routers don't have a route to reach the VPN client network, the traffic will be dropped.

    In order to make sure that you get a response back to the VPN client from an internal machine, you would need to configure the internal routers (Or other devices to which internal machines point to for Default Gateway) to point to TMG as Gateway for the VPN client network.

    PS: Please make sure that you add 2 separate routes on your internal routers:

    10.1.16.1-10.1.16.5                      Point to FW1 for Gateway

    10.1.16.6-10.1.16.10                    Point to FW2 for Gateway

     


    Mohit Kumar [MSFT]| Sr. Support Escalation Engineer| CSS Security
    Wednesday, September 8, 2010 8:48 PM
  • Hello Pepperix,

    Are you able to Ping or RDP to the server on which you're trying to access the file share, from a VPN Client? If you're, then your issue is different than what Petrus_KL is experiencing. In order to access a file share in the internal network from a VPN client, you'll have to allow Microsoft CIFS (SMB) (TCP Port 445) from the VPN clients to the internal network. In case this protocol is already allowed between the VPN clients and the internal network, please check the Windows/Third Party AV/Firewall configuration to verify that the required port is allowed. 

    In case you're not able to Ping or RDP to this internal machine from a VPN Client, please check the routing in your internal network to ensure that the network devices (Routers) in that network segment are pointing to TMG as Gateway for the VPN Client network.

    If the above doesn't help, i would recommend that you start/create a new thread.


    Mohit Kumar [MSFT]| Sr. Support Escalation Engineer| CSS Security
    Wednesday, September 8, 2010 9:11 PM

All replies

  • Hi,

     

    Thank you for the post.

     

    “i cant access any of the resources in the internal network”- would you please elaborate it? RDP, Network share?

     

    Regards,


    Nick Gu - MSFT
    Wednesday, September 1, 2010 9:01 AM
    Moderator
  • Hi and sorry for not specifying to protocols. Nothing works, well i've only tried ping, rdp, dns, http and https.

    DNS servers are set as the internal servers and i can't do any lookups, internal or external. If i change the server in nslookup to my IPSs server, i can resolve external names.

     

    Below is the route print command run from my home win7 machine when connected to the VPN. It's in finnish, sorry.

     

    VPN-Yhteys = the vpn-conncetion

    192.168.1.0 = my home network

    192.168.1.1 = my gw

    192.168.1.34 = my machines IP

    10.1.16.7 = IP received from the TMG when connected to the vpn

     

    ===========================================================================

    Sovitinluettelo

    28...........................VPN-yhteys

    13...00 1e 0b b8 82 24 ......Intel(R) 82566DM-2 Gigabit Network Connection

      1...........................Software Loopback Interface 1

    11...00 00 00 00 00 00 00 e0 Microsoft ISATAP -sovitin

    12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface

    15...00 00 00 00 00 00 00 e0 Microsoft ISATAP -sovitin #2 ===========================================================================

     

    IPv4 -reititystaulukko

    ===========================================================================

    Active Routes:

    Verkkokohde        Verkon peite          Yhdyskäytävä     Liittymä  Metric-arvo

              0.0.0.0          0.0.0.0      192.168.1.1      192.168.1.34   4245

              0.0.0.0          0.0.0.0   Linkin määrittämä         10.1.16.7

            10.1.16.7  255.255.255.255   Linkin määrittämä         10.1.16.7    2

      my external ip   255.255.255.255      192.168.1.1     192.168.1.34   4246

             127.0.0.0        255.0.0.0   Linkin määrittämä         127.0.0.1   45

            127.0.0.1  255.255.255.255   Linkin määrittämä         127.0.0.1   45

      127.255.255.255  255.255.255.255   Linkin määrittämä         127.0.0.1   45

          192.168.1.0    255.255.255.0   Linkin määrittämä      192.168.1.34   45

         192.168.1.34  255.255.255.255   Linkin määrittämä      192.168.1.34   45

        192.168.1.255  255.255.255.255   Linkin määrittämä      192.168.1.34   45

            224.0.0.0        240.0.0.0   Linkin määrittämä         127.0.0.1   45

            224.0.0.0        240.0.0.0   Linkin määrittämä      192.168.1.34   45

            224.0.0.0        240.0.0.0   Linkin määrittämä         10.1.16.7

      255.255.255.255  255.255.255.255   Linkin määrittämä         127.0.0.1   45

      255.255.255.255  255.255.255.255   Linkin määrittämä      192.168.1.34   45

      255.255.255.255  255.255.255.255   Linkin määrittämä         10.1.16.7    2

    ===========================================================================

    Jatkuvat reitit:

      Ei mitään

     

    IPv6 -reititystaulukko

    ===========================================================================

    Active Routes:

    Jos verkkokohde on Metric-kohdeyhdyskäytävä

      1    306 ::1/128                  Linkin määrittämä

    13    276 fe80::/64                Linkin määrittämä

    13    276 fe80::49e7:81a1:10ab:5b2e/128

                                        Linkin määrittämä

      1    306 ff00::/8                 Linkin määrittämä

    13    276 ff00::/8                 Linkin määrittämä

    ===========================================================================

    Jatkuvat reitit:

      Ei mitään

     

    Wednesday, September 1, 2010 9:21 AM
  • Hi i have similar problem....

    With my vpn client i can connect to my office's TGM,i can ping servers inside my office,i can use remote desktop without any problem....but i can't access to \\server_ip\resource .

     

    Maybe i forgot to enabled any specific protocol on the Web Access Rule (about VPN client) ?

    Friday, September 3, 2010 7:58 AM
  • Hello Petrus_KL,

    If i understand correctly, you've 2 TMG 2010 Enterprise Edition servers in an Array. This array is configured for Client to Site (Remote Access) PPTP VPN. The VPN address ranges are 10.1.16.1-10.1.16.5 (FW1) and 10.1.16.6-10.1.16.10 (FW2). You can establish PPTP VPN connection and ping both of the TMG Array members but you can't access any of the internal resources.

    When TMG receives traffic from an VPN client destined for a resource in the internal network (10.0.x.x), it will forward the traffic to the target resource. The internal machine which doesn't have a route for the VPN client network (10.1.x.x) will send the traffic to it's Default Gateway (An internal router). In case the internal routers don't have a route to reach the VPN client network, the traffic will be dropped.

    In order to make sure that you get a response back to the VPN client from an internal machine, you would need to configure the internal routers (Or other devices to which internal machines point to for Default Gateway) to point to TMG as Gateway for the VPN client network.

    PS: Please make sure that you add 2 separate routes on your internal routers:

    10.1.16.1-10.1.16.5                      Point to FW1 for Gateway

    10.1.16.6-10.1.16.10                    Point to FW2 for Gateway

     


    Mohit Kumar [MSFT]| Sr. Support Escalation Engineer| CSS Security
    Wednesday, September 8, 2010 8:48 PM
  • Hello Pepperix,

    Are you able to Ping or RDP to the server on which you're trying to access the file share, from a VPN Client? If you're, then your issue is different than what Petrus_KL is experiencing. In order to access a file share in the internal network from a VPN client, you'll have to allow Microsoft CIFS (SMB) (TCP Port 445) from the VPN clients to the internal network. In case this protocol is already allowed between the VPN clients and the internal network, please check the Windows/Third Party AV/Firewall configuration to verify that the required port is allowed. 

    In case you're not able to Ping or RDP to this internal machine from a VPN Client, please check the routing in your internal network to ensure that the network devices (Routers) in that network segment are pointing to TMG as Gateway for the VPN Client network.

    If the above doesn't help, i would recommend that you start/create a new thread.


    Mohit Kumar [MSFT]| Sr. Support Escalation Engineer| CSS Security
    Wednesday, September 8, 2010 9:11 PM
  • Thanks Mohit, it was the default gw issue. I should have picked up on that, ofcoruse it can't work when the servers don't know about the vpn network :/
    Tuesday, September 14, 2010 7:44 AM