locked
No internet access on TMG server and VPN client. RRS feed

  • Question

  • Hi,

    I cannot access internet on TMG server and VPN client machine.

    All rules are created properly.

    I can ping to google.com and browse with public IP from TMG server. No more browsing.

    I cannot access internet from VPN client but I can browse with public IP.


    fasil cv

    Tuesday, July 22, 2014 6:38 AM

Answers

  • The first question I would ask is if this has ever worked? Are you using this as a regular forward proxy for non-VPN clients and does it work for them?

    Based on the Live Logging you posted above it looks like the TMG Server is never getting a response from the destination server. It could be that an upstream device is not allowing the communication out or allowing it to come back. Do you know what upstream devices there are and do you own them? You mentioned that this was an Edge device but is the default gateway a router you own or your ISP?

    If name resolution is working (and from what you have said earlier) it seems that it is then this is something else entirely.

    Friday, July 25, 2014 5:23 PM
    Answerer

All replies

  • can someone help me please ?..


    fasil cv


    • Edited by Fasil CV Tuesday, July 22, 2014 12:04 PM
    Tuesday, July 22, 2014 12:04 PM
  • Hi,

    Thanks for your question.

    Firstly, I recommend you to check the real time logs on the TMG server or the event logs on the VPN client to see if any related error messages existed.

    In addition, would you please share more detailed information about your deployment?

    Did this issue affect all the VPN clients, or just few VPN clients? Did you use TMG as your VPN server? What access rules have you created? Please make sure that you have created a rule to enable the VPN clients to access the Internet because the default configuration of the VPN client is to disable split tunneling and the VPN client must be able to reach the Internet through the VPN server.

    Besides, since you can access with public IP addresses, it seems to be a DNS related issue. What is the DNS server configuration on your TMG server? Can you ping other websites with host names and IP addresses? In general, you need to configure a DNS server on the internal adapter of the TMG server and this DNS server should be configured to use forwarders or root hints so that it can resolve both internal and Internet host names.

    More information:

    Planning for DNS name resolution

    Best regards,

    Susie

    Wednesday, July 23, 2014 3:17 AM
    Moderator
  • Hi Susie,

    Thank you for your relaying.

    The real time logs is:

    Closed Connection
    Log type: Firewall service
    Status: A connection was closed because no SYN/ACK reply was received from the server.
    Rule: Allow_Internet_All
    Source: VPN Clients (10.56.15.84:64539)
    Destination: External (mrs02s04-in-f24.1e100.net 173.194.39.56:443)
    Protocol: HTTPS
    User: Mycomapny\Test.User
     Additional information
    1. Number of bytes sent: 152 Number of bytes received: 0
    2. Processing time: 69997ms Original Client IP: 10.56.15.84

    Network setup is: edge firewall

    This is affected to all VPN clients; TMG is using as a VPN client, site to site vpn, insternet sharing to all workstations. Rues are created properly – rule details will send next reply.

    The DNS configuration for TMG server: External public DNS and internal local server (DC) DNS and configured to use forwarders (Public DNS IP).

    I can ping to all website and brows trough Public IP also some of the websites can browse (www.microsoft.com, www.symantec.com, )



    fasil cv



    • Edited by Fasil CV Wednesday, July 23, 2014 9:43 AM
    Wednesday, July 23, 2014 9:37 AM
  • TMG Rules

    fasil cv

    Wednesday, July 23, 2014 9:38 AM
  • Is it required to create any rule or make priority of rules


    fasil cv

    Thursday, July 24, 2014 5:21 AM
  • Any one please helps me


    fasil cv

    Thursday, July 24, 2014 7:29 AM
  • Hi,

    Did you mean that you can ping all the websites via IP addresses and hostnames? I recommend deleting the DNS servers on the external NIC to see if the issue remians.

    In addition, I am not sure if it is due to the EDNS0 feature causes the DNS packects blocked by the firewall. I recommend you to disable the EDNS0 feature on the Windows-based DNS server to see if the issue persists:

    Some DNS name queries are unsuccessful after you deploy a Windows-based DNS server

    Best regards,

    Susie

    Thursday, July 24, 2014 9:05 AM
    Moderator
  • Hi, I tryed both way still not working. Yes I can ping to all websites and brows by public IP. Also I can brows www.microsft.com , www.symantec.com web sites.

    fasil cv

    Thursday, July 24, 2014 7:35 PM
  • Hi,

    Thank you for your reply.

    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

    Thank you for your understanding and support.

    Best regards,

    Susie

    Friday, July 25, 2014 6:27 AM
    Moderator
  • The first question I would ask is if this has ever worked? Are you using this as a regular forward proxy for non-VPN clients and does it work for them?

    Based on the Live Logging you posted above it looks like the TMG Server is never getting a response from the destination server. It could be that an upstream device is not allowing the communication out or allowing it to come back. Do you know what upstream devices there are and do you own them? You mentioned that this was an Edge device but is the default gateway a router you own or your ISP?

    If name resolution is working (and from what you have said earlier) it seems that it is then this is something else entirely.

    Friday, July 25, 2014 5:23 PM
    Answerer
  • Any update on this?
    Wednesday, July 30, 2014 1:58 PM
    Answerer
  • Sorry for delay in reply.  I was on vacation.

    It’s never work from the beginning, and it is working in non-VPN clients.

    All web sites I can reach by Public IP of the particular websites, but cannot work with full name (e.g. www.google.com)


    fasil cv

    Wednesday, August 13, 2014 1:58 PM
  • hi Keith Abluton can you help me

    fasil cv

    Sunday, August 17, 2014 8:53 AM